Sutter Health v. Superior Court, 2014 WL 3589699 (Cal. App. 2014), is a medical data breach class action case that raises questions beyond the specifics of the Californian Confidentiality of Medical Information Act.
The stakes were high in Sutter — under the California statute medical data breach claims trigger (or should trigger!) nominal damages at $1000 per patient. Here four million records were stolen.
Plaintiffs’ first argued the defendant breached a section prohibiting unconsented-to disclosure. The not unreasonable response from the court was that this provision required an affirmative act of disclosure by the defendant which was not satisfied by a theft.
A second statutory provision argued by the plaintiffs looked like a winner. This section provided, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.”
The court accepted (for the sake of argument) that this section did not require an affirmative act by the defendant. But then the court went all hyper-textual (a trend this week in health law cases) and held the provision was not breached until the information ceased to be confidential. The theft of the data wasn’t enough—plaintiffs would have to plead that confidentiality had been breached, for example, by showing the thief had viewed the stolen information.
The nominal damages provision includes the phrase “it shall not be necessary that the plaintiff suffered or was threatened with actual damages.” Arguably this supported the statutory intent argued by the plaintiffs; in cases like this you shouldn’t have to prove actual damage. However, the court held that this remedy provision did not come into play until the liability (negligent release) section was satisfied (which wasn’t, absent loss of confidentiality).
These state law medical data breach cases are becoming common and the damage issues can be quite tricky. Recall another class action—Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), concerning the theft of unencrypted laptops containing information on 1.2 million health plan members. In Resnick plaintiffs pled that they were careful stewards of their personal information and that actual identity theft had occurred (albeit approximately a year later). The court held that the pleading of causation was sufficient to avoid dismissal. Specifically the court noted that the plaintiffs had:
“pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that AvMed’s failures in securing their data resulted in their identities being stolen. They have shown a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence.”
The plaintiff’s close call in Resnick and Sutter’s artificial interpretation of the statute pose broader questions about proof of damage in data breach cases. For example, how would the plaintiffs in Sutter plead (or prove) the loss of confidentiality required by the court. Presumably actual identity theft (and causation) as pled in Resnick would work. Absent that, would a patient have to investigate the shady Internet world where stolen information is brokered looking for evidence that their data had been compromised?
A broader criticism should be directed at the legislation itself. Far better drafting is required in medical data protection statutes. The very title of the statute, “Confidentiality of Medical Information Act,” is a relic of the view that medical data protection is achieved only through confidentiality. There are many other tools including privacy, erasure, security and breach notification. The word “confidentiality” should never have appeared in a section imposing a duty to keep medical data secure.