DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Dismissal of Sutter Health lawsuit to be appealed

Posted on July 24, 2014 by Dissent

I guess I wasn’t the only one surprised by the Third District Court of Appeal’s dismissal of a lawsuit against  Sutter Health for violations of California’s Confidentiality of Medical Information Act (CMIA).  The justices had unanimously held that the CMIA wasn’t triggered because there was no evidence that anyone even looked at the stolen protected health information, much less misused it.

Since the language of CMIA doesn’t seem to require evidence of harm or misuse, I found their ruling surprising. The statute seems pretty clear:

A provider of health care, health care service plan, or
contractor shall not disclose medical information regarding a patient
of the provider of health care or an enrollee or subscriber of a
health care service plan without first obtaining an authorization,
except as provided in subdivision (b) or (c).

The definition section of the statute does not define what “disclose” means, however.

Now Kathy Robertson of the Sacramento Business Journal reports that the plaintiffs intend to appeal to the California Supreme Court:

“We’re disappointed with the decision and plan to appeal to the state Supreme Court,” said John Parker Jr., a Sacramento attorney and one of several lead counsel for the plaintiffs. The appeals court did not correctly interpret the law, he added. “In fact, they rewrote it in such a way that it violates the intent of the Legislature, legal history and long-standing protections of the privacy and confidentiality of medical records in California,” he said.

Read more on Sacramento Business Journal.

The dismissal was important because CMIA provides for penalties for negligent disclosures, even where no harm has been demonstrated. Under Section 56.36(b):

In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following:
(1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.
(2) The amount of actual damages, if any, sustained by the
patient.
(c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation.

The Sutter Health case was the second time in the past year that the courts dismissed a complaint under CMIA. The California Court of Appeals limited the ability of plaintiffs to obtain statutory damages under CMIA in Regents of the Univ. of Cal. v. Superior Court of Los Angeles County, holding

by incorporating the remedy specified in section 56.36, subdivision (b), section 56.101 allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents’s petition and issue a writ of mandate to the superior court directing it to vacate its order overruling the Regents’s demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action.

In both cases, hardware with PHI was stolen. It is not clear to me how the acquisition of devices with PHI is not an unauthorized or wrongful access to PHI.

In other words, I think both courts have gone way beyond the language of CMIA and the state legislature’s intent in passing CMIA. I hope the California Supreme Court agrees.

Category: Uncategorized

Post navigation

← Are Patient Privacy Laws Being Misused to Protect Medical Centers?
House Oversight’s lopsided hearing on the FTC →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.