DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Dismissal of Sutter Health lawsuit to be appealed

Posted on July 24, 2014 by Dissent

I guess I wasn’t the only one surprised by the Third District Court of Appeal’s dismissal of a lawsuit against  Sutter Health for violations of California’s Confidentiality of Medical Information Act (CMIA).  The justices had unanimously held that the CMIA wasn’t triggered because there was no evidence that anyone even looked at the stolen protected health information, much less misused it.

Since the language of CMIA doesn’t seem to require evidence of harm or misuse, I found their ruling surprising. The statute seems pretty clear:

A provider of health care, health care service plan, or
contractor shall not disclose medical information regarding a patient
of the provider of health care or an enrollee or subscriber of a
health care service plan without first obtaining an authorization,
except as provided in subdivision (b) or (c).

The definition section of the statute does not define what “disclose” means, however.

Now Kathy Robertson of the Sacramento Business Journal reports that the plaintiffs intend to appeal to the California Supreme Court:

“We’re disappointed with the decision and plan to appeal to the state Supreme Court,” said John Parker Jr., a Sacramento attorney and one of several lead counsel for the plaintiffs. The appeals court did not correctly interpret the law, he added. “In fact, they rewrote it in such a way that it violates the intent of the Legislature, legal history and long-standing protections of the privacy and confidentiality of medical records in California,” he said.

Read more on Sacramento Business Journal.

The dismissal was important because CMIA provides for penalties for negligent disclosures, even where no harm has been demonstrated. Under Section 56.36(b):

In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following:
(1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.
(2) The amount of actual damages, if any, sustained by the
patient.
(c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation.

The Sutter Health case was the second time in the past year that the courts dismissed a complaint under CMIA. The California Court of Appeals limited the ability of plaintiffs to obtain statutory damages under CMIA in Regents of the Univ. of Cal. v. Superior Court of Los Angeles County, holding

by incorporating the remedy specified in section 56.36, subdivision (b), section 56.101 allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents’s petition and issue a writ of mandate to the superior court directing it to vacate its order overruling the Regents’s demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action.

In both cases, hardware with PHI was stolen. It is not clear to me how the acquisition of devices with PHI is not an unauthorized or wrongful access to PHI.

In other words, I think both courts have gone way beyond the language of CMIA and the state legislature’s intent in passing CMIA. I hope the California Supreme Court agrees.

Category: Uncategorized

Post navigation

← Are Patient Privacy Laws Being Misused to Protect Medical Centers?
House Oversight’s lopsided hearing on the FTC →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.