Sutter Health v. Superior Court

(Class action based on breach of confidentiality of Medical Information Act arising out of the theft of a lap top computer containing medical information failed to state a cause of action absent an allegation that an unauthorized person had viewed the informational records)

In Sutter Health v. Superior Court, 227 Cal.App.4th 1546 (July 21, 2014), the California Third District Court of Appeal granted a Petition For Writ Of Mandate filed by Sutter Health requesting an order requiring the trial court to dismiss a Class Action lawsuit based on violation of the “Confidentiality of Medical Information Act (“the Confidentiality Act”). The parties’ dispute arose out of the theft of Sutter Health’s desktop computer containing medical records of about 4 million patients. As a result of this theft, the party in interest, Dorothy Atkins, filed a Class Action lawsuit contending that Civil Code Sections 56 et seq., (i.e., sections addressing the Confidentiality Act) had been violated by Sutter Health, such that each member of the class was entitled to “nominal damages” of $1,000.00, amounting to a total $4 billion in nominal damages.

In response to the Class Action complaint, Sutter Health filed a demurrer arguing that the complaint should be dismissed because it failed it allege a breach of confidentiality. Sutter Health argued that mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records. The complaint did not include any allegations suggesting that an unauthorized person had actually viewed the medical records. Indeed, although the records were not encrypted, access to the records had been protected by a password. The complaint failed to allege that an unauthorized person had obtained the password and viewed the records. The trial court overruled Sutter Health’s demurrer. In response, Sutter Health filed a Petition for Writ of Mandate seeking to compel the trial court to dismiss the Class Action with prejudice.

The Court of Appeal issued an Alternative Writ and ultimately granted Sutter Home’s petition mandating the trial court to dismiss the Class Action with prejudice.

In granting the Sutter Home’s writ, the Court of Appeal held as follows:

Here, the plaintiffs argue that Sutter Health negligently stored the medical information and that the negligent storage resulted in a change of possession of the information to an unauthorized person. This change of possession increased the risk of a confidentiality breach. But the Confidentiality Act does not provide for liability for increasing the risk of a confidentiality breach. It provides for liability for failing to 'preserve° the confidentiality" of the medical records. (§ 56.101, subd. (a).) There is no allegation that Sutter Health's actions with respect to the records on the stolen computer did not preserve their confidentiality because there is no allegation that an unauthorized person has viewed the records. Without an actual breach of confidentiality, the loss of possession is not actionable under section 56.101.

The legislation at issue is the "Confidentiality of Medical Information Act," not the Possession of Medical Information Act. (§ 56.) While loss of possession may result in breach of confidentiality, loss of possession does not necessarily result in a breach of confidentiality. For that reason, a plaintiff must allege a breach of confidentiality, not just a loss of possession, to state a cause of action for nominal or actual damages under sections 56.101. (Accord, Regents, supra, 220 Cal.App.4th at p. 570, which arrives at the same conclusion by a different analytical route.)

The second sentence of section 56.101, subdivision (a) does not change this analysis. Although it does not repeat the language requiring the health care provider to preserve the confidentiality of the medical information, it makes the health care provider liable for negligence. "Any provider of health care . .. who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." (§ 56.101, subd. (a), italics added.) An essential element of negligence is that the tortfeasor's breach caused the injury protected against (Federico v. Superior Court (1997) 59 Cal.App.4th 1207, 1210.1211.) The duty is to preserve confidentiality, and a breach of confidentiality is the injury protected against. Without an actual confidentiality breach there is no injury and therefore no negligence under section 56.101. That the records have changed possession even in an unauthorized manner does not mean they have been exposed to the view of an unauthorized person.