Sutter Health Off Hook for Stolen Records
SACRAMENTO, Calif. (CN) - A state appeals court on Monday halted a $4 billion class action against Sutter Health over stolen patient records, holding that no one can prove the data has ever been used.
Dozens of Sutter Health patients sued the healthcare provider after thieves broke stole a computer containing over the medical records of over 4 million patients in 2011. The office had no security alarm or cameras, and the files on the computer were password-protected but unencrypted.
Under California's Confidentiality of Medical Information Act, patients can sue for nominal damages award of $1,000 each for the negligent release of medical information - a potential $4 billion windfall for the Sutter Health patients affected by the stolen computer.
Sutter Health objected to the suit and moved to strike the class allegations, requests that Sacramento County Superior Court Judge David De Alba denied. De Alba reasoned that the patients did not have an obligation to prove that an unauthorized person had viewed their medical data to in order to pursue claims that Sutter Health breached the Confidentiality Act.
The hospital chain petitioned the Third Appellate District for review of De Alba's denial, and on Monday the Sacramento panel of that court agreed that the mere possession of medical records by an unauthorized person is insufficient to show a breach of confidentiality.
"The statute contains a lengthy list of circumstances under which the healthcare provider must or may disclose medical information, circumstances which do not violate the nondisclosure duty," Judge George Nicholson wrote for the panel. "Thus, disclosure under the law implies an affirmative communicative act.
"Here, there is no dispute that the computer was stolen by, not given to, the unauthorized person," Nicholson continued. "Sutter Health did not intend to disclose the medical information to the thief, so there was no affirmative communicative act by Sutter Health to the thief. As a result, the law does not apply to the facts of this case."
The appeals court noted that the California Supreme Court recently held that in order for a healthcare provider to violate the Confidentiality Act, it must make an "unauthorized, unexcused disclosure of privileged medical information."
"No breach of confidentiality takes place until an unauthorized person views the medical information," Nicholson wrote. "It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act. While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act." [Parentheses in opinion.]
So while Sutter Health negligently stored the patient records - unencrypted, on a desktop computer, in a building with no security system - there is no allegation that anyone ever viewed the stolen records, the appeals court found.
"Interpreting the Confidentiality Act to provide $1,000 in damages to every person whose medical information came into the possession of an unauthorized person without that person viewing the information would lead to unintended results," Nicholson wrote. "For example, if a thief grabbed a computer containing medical information on four million patients, but the thief destroyed the electronic records to reformat and wipe clean the hard drive and sell the computer without ever viewing the information or even knowing it was on the hard drive, the healthcare provider would still be liable, at least potentially, for $4 billion. For all we know, that may have happened here. We cannot interpret a statute to require such an unintended result."
The appeals court ordered De Alba to sustain Sutter Health's objection and dismiss the class action without leave to amend.
A similar class action, filed earlier this year, is pending in an Alameda County court.