No proof that the stolen information was actually viewed by an unauthorized person

Jul 23, 2014 15:39 GMT  ·  By

A California Court of Appeal dismissed several class action lawsuits against health care provider Sutter Health, that would have awarded over $4 / €2,972 billion to individuals whose medical information was exposed by theft of a computer system.

The incident occurred about three years ago, between October 15 and 16, 2011, when a password-protected desktop computer, containing plain text sensitive information (mostly names, addresses, birth dates, phone numbers, and medical record) on 4.2 million individuals was stolen from the offices of Sutter Health.

It was immediately reported to the Sacramento Police Department, and a thorough investigation was started. No financial details about the patients or Social Security numbers were stored on the machine.

The parties impacted by the event filed 11 class action suits against Sutter Health, asking monetary compensation. Under the Confidentiality of Medical Information Act (CIMA), individuals could have received $1,000 / €743 each, which would have amounted to the health care provider paying about $4.2 / €3,119 billion in damages.

However, on Monday, the lawsuits were dismissed on the grounds that “the plaintiffs have failed to state a cause of action under the Confidentiality Act because they do not allege that the stolen medical information was actually viewed by an unauthorized person.”

The Confidentiality Act provides liability for failing to maintain the secrecy of the information against unauthorized persons.

Had the plaintiffs managed to demonstrate that there was a reasonable chance of an actual breach, Sutter Health might have been liable for the aforementioned amount of money.

The court document providing the decision says that, in accordance to the Confidentiality Act, no confidentiality breach occurs until the sensitive information is viewed by unauthorized persons. In lack of such proof, the court could not rule in favor of the plaintiffs, since the physical record of the details is not under the focus of the Act.

“While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act,” said the court.

This implies that the loss of possession does not mean that confidentiality of the information was breached, since there is no evidence of disclosing the content of the records. “Without an actual confidentiality breach there is no injury.”

Breaches of the systems of health care providers have become more frequent in the past years, but cases in which computer systems are stolen from the offices of these organizations are not uncommon either.