News Feature | July 29, 2014

Court Says Breach Lawsuit Needs To Prove Harm

Christine Kern

By Christine Kern, contributing writer

Overall Patent Litigations Are Down, But High Tech NPE Activity Continues

A breach case against Sutter Medical Foundation has been dismissed by Appellate Court.

Sutter Medical Foundation did not violate California's medical confidentiality act, and expose itself to potentially $4 billion in statutory damages, when a thief stole a computer containing 4 million patients' medical records, the Third District Court of Appeal ruled Monday. Sutter Medical Foundation is at least the third provider organization in California to beat back a class action lawsuit following a data breach by arguing that no harm to affected individuals was established.

A lower trial court previously ruled that Sutter Medical violated the state’s Confidentiality of Medical Information Act and plaintiffs could plead for a cause of action without alleging that medical information on the computer had been seen. Sutter Medical, which argued there could be no cause of action because harm was not established, appealed and a three-judge panel of the Third Appellate District in the Court of Appeal of the State of California agreed.

The state's medical privacy statute was not triggered because there's no evidence the thief or anyone else actually looked at the records, Justice George Nicholson wrote for a unanimous panel. "The legislation at issue is the 'Confidentiality of Medical Information Act,' not the Possession of Medical Information Act," he wrote.

 “The plaintiffs failed to state of cause of action under the Confidentiality Act because they failed to allege a breach of confidentiality,” according to the appellate decision. “The mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records. Therefore, the trial court should have sustained Sutter Health’s demurrer.” Demurrer is a contention that while facts may be true, they are insufficient on which to base a claim. The appellate court returned the matter to the trial court.

In May 2014, the Fourth Appellate Court in California ruled that Eisenhower Medical Center was not liable for a breach affecting more than 500,000 individuals because actual medical information was not compromised. The case was returned to a lower court for further consideration.

Sutter Health v. Superior Court also reaches the same outcome as the Second District did in a case where a UCLA physician's hard drive was stolen from his home, but the reasoning was slightly different. UCLA faced a class action suit after an encrypted computer – along with a password written on a piece of paper – was among items taken from a physician’s home during a burglary. The trial judge overruled UCLA arguments that no actual breach was established, paving the way for damages. The appellate court, however, did not agree, saying that a pertinent section of the state medical confidentiality law is not violated without an actual breach of confidentiality.

California's health-care industry, which is facing at least nine class actions tied to claims that hospitals and medical groups disclosed patient data in violation of the confidentiality act, is keeping close tabs on the outcomes of these recent cases. The California Hospitals Association, the UC Regents and Consumer Attorneys of California are among those filing amicus curiae briefs.