Hospital Dodges Legal Bullet in Huge Breach Case
A California appeals court has ruled in part that Eisenhower Medical Center in Rancho Mirage is not liable under state law for a huge data breach of protected health information because actual medical information was not compromised.
A California appeals court has ruled in part that Eisenhower Medical Center in Rancho Mirage is not liable under state law for a huge data breach of protected health information because actual medical information was not compromised. The case returns to a lower court for further consideration.
A computer stolen from EMC in March 2011 contained an index of more than 500,000 patients dating back to the 1980s. Index information included name, age, date of birth, medical record number and last four digits of the Social Security number. A class action lawsuit against the hospital sought $1,000 for each affected individual.
Eisenhower had argued in the lower Superior Court of Riverside County that a provider is not liable under the states Confidentiality of Medical Information Act if breached identifying information is not accompanied with medical history, mental or physical condition, or treatment information. The hospital asked for a summary judgment that the theft did not result in disclosure of medical information, but the Superior Court denied the motion and Eisenhower appealed.
According to an explanation of the Superior Court argument in the Fourth Appellate Court decision: Information about an individuals medical history, condition, or treatment is saved only on EMCs servers located in the data center. The index that was on the stolen computer is a subset of information from its master patient index that can be used in case of a power outage or network failure to look up the patients MRN (medical record number) so that a hard copy of the medical records can be located. The MRN is sequential and contains no coded information. Thus, EMC argues that the index did not contain medical information within the meaning of the CMIA, which requires a disclosure of individually identifiable information (which it concedes the index contained) with information regarding a patients medical history, mental or physical condition, or treatment.
Plaintiffs in Superior Court argued that EMC had reported the computer theft as a breach to the HHS Office for Civil Rights, so it must be considered a breach of state law as well. Plaintiffs primarily argued that the mere fact that a persons name is on the index reveals that he or she was a patient and, thus, there has been a release of medical history, according the Appellate Court explanation. Finally, they assert that the information on the index could be used to hack into the database and perhaps access a patients medical information.
In the end, the Appellate Court substantially agreed with Eisenhower. EMC contends that medical information as defined under the CMIA is substantive information regarding a patients medical condition or history that is combined with individually identifiable information. It notes here there was a disclosure or release of individually identifiable information, but not medical information. We agree. We note the issue thus drawn is a narrow one and does not require this court to determine whether there is a distinction between a disclosure or release of medical information under the CMIA, whether EMC was negligent in handling its computer records, or whether unauthorized persons actually viewed plaintiffs medical records.
The lawsuit returns to the Superior Court, which is ordered to set aside its denial of summary adjudication and issue a new order granting the motion. The 11-page decision is available here.
A computer stolen from EMC in March 2011 contained an index of more than 500,000 patients dating back to the 1980s. Index information included name, age, date of birth, medical record number and last four digits of the Social Security number. A class action lawsuit against the hospital sought $1,000 for each affected individual.
Eisenhower had argued in the lower Superior Court of Riverside County that a provider is not liable under the states Confidentiality of Medical Information Act if breached identifying information is not accompanied with medical history, mental or physical condition, or treatment information. The hospital asked for a summary judgment that the theft did not result in disclosure of medical information, but the Superior Court denied the motion and Eisenhower appealed.
According to an explanation of the Superior Court argument in the Fourth Appellate Court decision: Information about an individuals medical history, condition, or treatment is saved only on EMCs servers located in the data center. The index that was on the stolen computer is a subset of information from its master patient index that can be used in case of a power outage or network failure to look up the patients MRN (medical record number) so that a hard copy of the medical records can be located. The MRN is sequential and contains no coded information. Thus, EMC argues that the index did not contain medical information within the meaning of the CMIA, which requires a disclosure of individually identifiable information (which it concedes the index contained) with information regarding a patients medical history, mental or physical condition, or treatment.
Plaintiffs in Superior Court argued that EMC had reported the computer theft as a breach to the HHS Office for Civil Rights, so it must be considered a breach of state law as well. Plaintiffs primarily argued that the mere fact that a persons name is on the index reveals that he or she was a patient and, thus, there has been a release of medical history, according the Appellate Court explanation. Finally, they assert that the information on the index could be used to hack into the database and perhaps access a patients medical information.
In the end, the Appellate Court substantially agreed with Eisenhower. EMC contends that medical information as defined under the CMIA is substantive information regarding a patients medical condition or history that is combined with individually identifiable information. It notes here there was a disclosure or release of individually identifiable information, but not medical information. We agree. We note the issue thus drawn is a narrow one and does not require this court to determine whether there is a distinction between a disclosure or release of medical information under the CMIA, whether EMC was negligent in handling its computer records, or whether unauthorized persons actually viewed plaintiffs medical records.
The lawsuit returns to the Superior Court, which is ordered to set aside its denial of summary adjudication and issue a new order granting the motion. The 11-page decision is available here.
More for you
Loading data for hdm_tax_topic #reducing-cost...