The California Court of Appeal recently issued an opinion in a case that was on the minds of many health care providers in California—a case against Sutter Health arising out of the alleged theft of a laptop with approximately 4 million patients’ medical information on it. The California Medical Information Act, or CMIA, was the basis of the plaintiffs’ lawsuit against Sutter Health, and the plaintiffs sought billions of dollars of potential recovery, in the form of statutory penalties for the alleged violation of the CMIA.
In this case, the plaintiffs alleged that a computer, which was password protected, but unencrypted, was stolen from Sutter. The plaintiffs brought a class action to seek to recover the statutory penalties under the CMIA on behalf of the 4 million patients. The Court of Appeal considered the Regents case, which also interpreted the CMIA, which found that the alleged loss of a laptop, even where the password was potentially compromised, was insufficient to establish a cause of action under the CMIA.
The Regents case was positioned in a different way than this case, because the defendant in Regents did not argue that the confidentiality portion of the CMIA had not been violated by the alleged conduct, but rather that the plaintiff could not state a claim for any form of damages. This Court went further, finding that the confidentiality portion of the CMIA, expressed in § 56.101 was not violated because the plaintiffs could not prove that the information was actually viewed by anyone. Simply put, this Court found “No breach of confidentiality takes place until an unauthorized person views the medical information.”
The case is important for health care companies to consider, and it brings the cases interpreting the CMIA into alignment with the more general data breach cases. It also is consistent with the findings of the Lares Institute’s research regarding data breaches, and the lack of damage suffered by individuals in many cases.