CHA News Article

Appellate Court Issues Favorable Decision in Privacy Breach Case
CHA filed amicus brief for this and other recent cases

The California Court of Appeal for the Third Appellate District ruled yesterday that a lawsuit for damages based on the theft of medical information requires pleading and proof that an unauthorized individual actually viewed the confidential information. This is good news for hospitals and other health care providers that are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker — or any other person — actually viewed the medical information.

In this class action lawsuit brought against Sutter Health, the plaintiffs sought $4 billion following the theft of a desktop computer from its offices. The computer contained unencrypted medical information of approximately 4 million patients, and the plaintiffs sought damages of $1,000 per patient. There was no evidence that any third party accessed or viewed the medical information. The court, agreeing with a similar decision by the Court of Appeal for the Second Appellate District, held that Sutter is not liable to pay damages to the plaintiffs. The court’s decision is attached.

CHA filed an amicus brief in this and other recent cases, supporting the defendant hospitals, and will continue to advocate for reasonable interpretations of health information privacy and breach notification laws.

This is the third favorable decision in privacy breach lawsuits recently. In May, the California Court of Appeal for the Fourth Appellate District ruled that a release of patient demographic information did not constitute a violation of the state’s Confidentiality of Medical Information Act (CMIA). In that case, a stolen hospital computer included the name, medical record number, age, date of birth and the last four digits of the Social Security number of 500,000 patients. A class action lawsuit was filed under the CMIA, seeking nominal damages of $1,000 per patient. In that case, the court noted that the CMIA prohibits the disclosure of medical information, which is defined as information regarding “a patient’s medical history, mental or physical condition, or treatment.” The court rejected plaintiffs’ argument that the mere fact that a person’s name or demographic information was released by a hospital reveals that he or she was a patient, and thus constitutes a release of “medical information” under the CMIA.