News Feature | June 3, 2014

Hospital Released Of Liability In Data Breach

Christine Kern

By Christine Kern, contributing writer

Data Breach Liability

Eisenhower Medical Center breathes a sigh of relief after dodging liability bullet.

According to Health IT Security, a California appeals court has ruled Eisenhower Medical Center in Rancho Mirage cannot be held liable under state law for a huge data breach of protected health information since no actual medical information was compromised. Other charges in the case will return to a lower court for further consideration.

According to court documents, a computer stolen from Eisenhower on March 11, 2011 contained an index of over half a million individuals to whom the hospital had assigned a clerical record number. These records dated back to the 1980s and included in the records was name, medical number (MRN), age, date of birth, and the last four digits of the individual’s Social Security Number (SSN). The information in the index was password protected, but not encrypted.

Eisenhower notified the affected individuals of the theft a couple of weeks later. A class action lawsuit was brought against the hospital by affected individuals, seeking $1,000 each in damages.

In the lower Superior Court of Riverside County, Eisenhower argued that, under the state’s Confidentiality of Medical Information Act, a provider cannot be held liable if breached identifying information is not accompanied with medical history, mental or physical condition, or treatment information. Based on this argument, the hospital called for a summary judgment that the theft did not result in disclosure of medical information. The Superior Court denied the motion and Eisenhower subsequently appealed.

Eisenhower argued the index did not contain medical information within the meaning of the CMIA, which requires a disclosure of ‘individually identifiable information’ (which it concedes the index contained) with information ‘regarding a patient’s medical history, mental or physical condition, or treatment.

The plaintiffs argued that since Eisenhower had reported the computer theft as a breach to the HHS Office for Civil Rights, it must also be considered a breach of state law. “Plaintiffs primarily argued that the mere fact that a person’s name is on the index reveals that he or she was a patient and, thus, there has been a release of medical history,” according the Appellate Court explanation. “Finally, they assert that the information on the index could be used to hack into the database and perhaps access a patient’s medical information.”

Ultimately, the Appellate Court substantially came down in favor of Eisenhower in the ruling. “Eisenhower contends that ‘medical information’ as defined under the CMIA is substantive information regarding a patient’s medical condition or history that is combined with individually identifiable information. It notes here there was a disclosure or release of ‘individually identifiable information,’ but not medical information. We agree. We note the issue thus drawn is a narrow one and does not require this court to determine whether there is a distinction between a disclosure or release of medical information under the CMIA, whether Eisenhower was negligent in handling its computer records, or whether unauthorized persons actually viewed plaintiffs’ medical records.”

The lawsuit returns to the Superior Court, which is ordered to set aside its denial of summary adjudication and issue a new order granting the motion.

The 11-page decision is available here.