Health Information Compliance Alert

Published on Tue Aug 19, 2014 PDF

Could this court decision affect breach lawsuits beyond California?

In a major HIPAA-breach lawsuit, an appellate court recently decided that “the mere possession” of protected health information (PHI) was not enough to warrant damages. Here’s why this ruling could set the pace for future court decisions in breach-related lawsuits.

Background: A data breach occurred when a computer was stolen from Sutter Health. The computer contained the personal and health information of 4.3 million patients. Specifically, the database stored on the computer held the names, addresses, dates of birth, telephone numbers, email addresses, medical record numbers and names of health insurance plans for 3.3 million patients. And the computer contained dates of service and descriptions of diagnoses for another 1 million individuals.

Watch Out: State Laws Can Inflate Damage Amounts

After Sutter Health notified patients of the computer theft, they filed a class action lawsuit under the California Confidentiality of Medical Information Act. The Act allowed for statutory damages of up to $1,000 per individual — that’s a whopping $4.3 billion in damages.

The lower court decided that Sutter Health was liable under the Act, and Sutter Health appealed the ruling. On July 21, the California appeals court reversed the decision and dismissed the case, holding that Sutter Health could not have violated the Act “because there was no evidence that the thief who stole the computer had actually viewed any of the information,” explained partner attorney Linn Foster Freedman in a July 25 blog posting for the law firm Nixon Peabody LLP.

“The plaintiffs failed to state a cause of action under the Confidentiality Act because they failed to allege a breach of confidentiality,” the appellate court ruled. “Therefore, the trial court should have sustained Sutter Health’s demurrer.”

Stay Up-To-Date with This Lawsuit Trend

“This is a significant decision that is consistent with many other jurisdictions that the mere loss of information does not form the basis for a claim for monetary damages,” Freedman said.

And the dismissal could set a precedent in California, reported Kathy Robertson, senior staff writer for the Sacramento Business Journal, in a July 23 news report. “As data breaches become more common, courts are beginning to look at the actual toll from the incidents and question whether a theft that doesn’t hurt anybody should bring multimillion-dollar damage awards.”

This potential precedent is especially true in light of another appeals court ruling in a University of California Regents case last year, which came to the same conclusion, Robertson noted.

“As the court said, it’s called the ‘Confidentiality of Medical Information Act,’ not the ‘Possession of Medical Information Act,’” Dallas-based partner attorney Jeffrey Drummond said in a July 23 Jackson Walker LLP blog posting. “Loss of peace of mind apparently isn’t a damage.”

Takeaway: But Drummond suspects that “nothing will be settled here until the California Supreme Court (and possibly the U.S. Supreme Court) rules.”