Sutter Medical Foundation is at least the third provider organization in California to beat back a class action lawsuit following a data breach by arguing that no harm to affected individuals was established.

The organization potentially faced $4 billion in damages--$1,000 for each of about 4 million affected patients--following the theft of a password-protected but unencrypted computer from its administrative offices in October 2011.

A lower trial court previously ruled that Sutter Medical violated the state’s Confidentiality of Medical Information Act and plaintiffs could plead for a cause of action without alleging that medical information on the computer had been seen. Sutter Medical, which argued there could be no cause of action because harm was not established, appealed and a three-judge panel of the Third Appellate District in the Court of Appeal of the State of California agreed.

“The plaintiffs failed to state of cause of action under the Confidentiality Act because they failed to allege a breach of confidentiality,” according to the appellate decision. “The mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records. Therefore, the trial court should have sustained Sutter Health’s demurrer.” Demurrer is a contention that while facts may be true, they are insufficient on which to base a claim. The appellate court returned the matter to the trial court.

In May 2014, the Fourth Appellate Court in California ruled that Eisenhower Medical Center was not liable for a breach affecting more than 500,000 individuals because actual medical information was not compromised. The case was returned to a lower court for further consideration.

Recently, California’s Second Appellate District ruled for UCLA Health System, which faced a class action suit after an encrypted computer--along with a password written on a piece of paper--were among items taken from a physician’s home during a burglary. The trial judge overruled UCLA arguments that no actual breach was established, paving the way for damages. The appellate court, however, did not agree, saying that a pertinent section of the state medical confidentiality law is not violated without an actual breach of confidentiality.

The Sutter Health appellate decision is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access