Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Health Privacy/HIPAA

California Appeals Court Rules that Mere Possession of Medical Information by Unauthorized Person is Insufficient to Support Breach Claims Under the CMIA

In a ruling that was welcome news to health care providers, insurers, and others that maintain medical information of California residents, the California Court of Appeals recently held that the mere possession of medical information by an unauthorized person, without actual viewing of the information, is not sufficient to establish a breach of confidentiality under the California Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code §§ 56 et seq. 

As we noted in a prior post, the CMIA is a medical privacy law that provides for nominal statutory damages of $1,000 against persons that negligently release confidential records or information, even in the absence of actual damages to the individual whose information has been disclosed.  As a result of this nominal damages provision, the CMIA has been invoked in numerous class-action suits filed in California following medical data breaches.

The case at issue, Sutter Health v. Super. Ct., Case No. C072591 (Cal. Ct. App. July 21, 2014), involved the theft of a desktop computer from Sutter Health.  The computer’s hard drive, which was password protected but not encrypted, allegedly contained the medical records of more than 4 million patients.  The plaintiffs sought to recover nominal damages of $1,000 for each class member under the CMIA, which could have resulted in a potential $4 billion award.

A unanimous panel of the court held that “[t]he mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records.”  The court observed that the focus of the CMIA is “preserving the confidentiality of the medical information, not necessarily preventing others from gaining possession of the paper-based or electronic information itself.”  Based on this language, the Court concluded that a breach of confidentiality is necessary to give rise to a claim under the CMIA, and then stated that no breach of confidentiality takes place “until an unauthorized person views the medical information.”  In the Sutter Health case, the plaintiffs had not alleged that an unauthorized person viewed the records, and therefore could not state a claim under the CMIA.  The court noted that the CMIA’s nominal damages provision did not change its analysis because even nominal damages were not available if an injury under the statute had not occurred.

The Sutter Health decision follows a similar ruling last year in Regents of the Univ. of Cal. v. Super. Ct., 220 Cal. App. 4th 549 (2013), where the court held that plaintiffs must plead that their information was in fact improperly viewed or otherwise accessed, and not just lost, to support a claim under the CMIA.  These decisions may serve to limit the number of actions brought under the CMIA and may have relevance for other data breach cases, which often hinge on plaintiffs’ ability to establish damages from the loss or unauthorized disclosure of their personal information.