CA Supreme Court Declines Breach CasesNo Proof in Either Case of Unauthorized Data Viewing
The California Supreme Court has declined to hear appeals in data breach class action lawsuits against Sutter Health and Eisenhower Medical Center. The action lets stand previous court rulings that determined the healthcare providers were not liable for the breaches under the state's Confidentiality of Medical Information Act because there was no proof that patients' medical data was actually inappropriately viewed.
The two separate cases involve 2011 thefts of unencrypted computing devices from the California-based healthcare organizations.
The Sutter incident, affecting about 4.2 million individuals, involved the theft of an unencrypted desktop computer from an administrative office. Some 13 class action lawsuits against Sutter had been consolidated.
The Eisenhower Medical Center incident, which affected 500,000 patients, involved the theft of an unencrypted desktop computer from the Rancho Mirage, Calif., hospital.
Each of the healthcare providers faced potential damages of up to $1,000 per breach victim under CMIA.
Appellate Court Decisions
In both cases, appellate courts ruled earlier this year that the healthcare providers were not liable under CMIA, and the plaintiffs appealed to the California Supreme Court. "In both matters, that means the court of appeals decisions stand," says attorney Beth Diamond, claims team leader at Beazley Group, which provided breach response insurance coverage to both Sutter and Eisenhower Medical Center.
The California Supreme Court declined on Oct. 15 to hear an appeal in the Sutter Health case, which could have resulted in a potential judgment totaling more than $4 billion under CMIA (see Sutter Health Breach Suit Dismissed). An appellate court had ruled Sutter was not liable because the plaintiffs did not allege the stolen information was actually viewed by an unauthorized person.
"The case is effectively over and we are very disappointed that the California Supreme Court did not choose to review a court of appeals decision that rewrote the statute and left consumers with no effective remedies in our case," says attorney John R. Parker Jr., of law firm Kershaw, Cutter & Ratinoff LLP, which represented plaintiffs in the Sutter case.
"Sutter Health is pleased with the California Supreme Court decision," a spokesperson for the organization says. "We can't speculate on future legal action."
The state supreme court also recently declined to hear an appeal of the lawsuit against Eisenhower Medical Center. An appellate court had ruled in May that the healthcare provider was not liable under CMIA for the release of patients' personal information because a patient index backup file on the stolen computer did not include information about medical histories, conditions or treatments. In that case, Eisenhower faced a potential total judgment of about $500 million under CMIA (see Court: Breach Didn't Violate State Law).
"The high court's refusal to hear the Eisenhower and Sutter appeals reflects the trend toward harmonization of California - CMIA - and federal law - HIPAA - regarding the consumer's privacy rights in their health information," says attorney Kathryn Coburn of law firm Cooke Kobrick & Wu LLP, which is not involved in either case. "The California appellate court noted in the Eisenhower case that the circumstances of the breach must include 'unauthorized viewing' in order for the plaintiff to recover nominal damages. HIPAA doesn't even allow for a private right of action by the consumer."
Although the CMIA-related claims in the Eisenhower case have been decided, attorney Alan Harris of Harris & Ruble, which is representing the plaintiffs in the lawsuit, says the legal action will continue on other claims, including complaints that Eisenhower delayed in notifying law enforcement and plaintiffs about the theft of the unencrypted computer. A trial date for that part of the lawsuit has not been set yet, he says.
"There are claims pending under the Customer Records Act, but the claims for statutory damages under the CMIA have all been resolved favorably to EMC," says attorney Paul Karlsgodt at law firm BakerHostetler, which represents Eisenhower Medical Center. "We are preparing a motion for summary judgment on the CRA claims, which should be filed over the next several weeks."
Besides the Sutter and Eisenhower Medical Center suits, other cases with similar decisions include the recent dismissal of a breach-related class action suit against Alere Home Monitoring. That 2012 breach, impacting more than 100,000 patients, involved the theft of an unencrypted laptop computer.
In the Oct. 7 decision by U.S. District Court in the Northern District of California, the judge ruled that there can be no liability for the negligent release of stolen medical information under California's Confidential Medical Information Act because there is no proof the data was actually viewed by a third party as the result of the theft (see Dismissed Breach Cases: A Common Element).