Daily Blast July 21, 2014

The California Court of Appeal, Third Appellate District (Sacramento) issued an opinion in Sutter Health v. Superior Court (July 21, 2014, C072591) __ Cal.App.4th ___, agreeing with the holding in Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, 569-570, that “to qualify for an award of nominal damages under section 56.36, subdivision (b)(1), a plaintiff must plead and prove that the records . . . were actually viewed by an unauthorized person.” (Slip opn., p. 8.)

The case arose out of the theft of a health care provider’s computer. The medical records of more than four million patients were stored on the computer’s hard drive in password-protected but unencrypted format, and the office from which the computer was taken did not have a security alarm or security cameras. (Slip opn., p. 4.) Plaintiffs filed an action under the CMIA seeking to represent, in a class action, all of the patients whose records were stolen, with a potential award of $4 billion against the health care provider. (Id. at p. 3.) The health care provider demurred to the complaint on the ground that the complaint did not allege that any unauthorized person actually viewed the stolen records. The trial court overruled the demurrer. (Id. at p. 5.)

The Court of Appeal granted the defendant’s petition for a peremptory writ of mandate and directed the trial court to sustain the defendant’s demurrer without leave to amend and to dismiss the action. (Slip opn., p. 14.) The court held that, “[the] legislation at issue is the ‘Confidentiality of Medical Information Act,’ not the Possession of Medical Information Act. . . . While loss of possession may result in breach of confidentiality, loss of possession does not necessarily result in a breach of confidentiality. For that reason, a plaintiff must allege a breach of confidentiality, not just a loss of possession, to state a cause of action for nominal or actual damages under sections 56.101.” (Id. at p. 12.)