The California Court of Appeal recently limited plaintiffs' ability to state a claim under the California Medical Information Act, and the ability to get statutory damages. Consistent with prior rulings in the data breach space, the Court ruled that plaintiffs must plead and prove more than the mere allegation that a health care provider negligently maintained or lost possession of data, but rather that such data was in fact improperly viewed or otherwise accessed.

In this case it was alleged that some patients treated at a health care facility had personally identifiable medical information stored on an encrypted external hard drive that was stolen from a doctor's house as part of a home invasion robbery. Also missing was an index card near the computer that contained the password for the computer which presumably would have permitted decryption of the data.

The health care provider gave notice of the potential breach and informed potentially impacted patients of this incident. The letter also stated that "The theft was reported to the police and there is no evidence suggesting that your information has been accessed or misused."

The defendant demurred to the complaint, which was overruled by the trial court. On appeal, the defendant argued that section 56.101 of the CMIA only allows a private right of action for negligent maintenance when such negligence results in unauthorized or wrongful access to the information. This argument was based upon the fact that there was no direct evidence that the information was improperly viewed or accessed. Plaintiff responded by arguing that the CMIA provides for statutory damages in any case where it can be proved that a health care provider's negligence was the proximate cause of an unauthorized third party obtaining protected information. It should be noted that the CMIA has statutory damages that certain plaintiffs have tried to argue can exist even if no damage is shown.

In rejecting plaintiff's argument, the Court in this case dismissed the action, finding that the CMIA requires pleading and proof that confidential information has been negligently released in violation of CMIA to bring a private cause of action for nominal and/or actual damages. Specifically, the Court held, "Even under the broad interpretation of 'release' we believe the Legislature intended in section 56.36, subdivision (b), as incorporated into section 56.101, more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information. . . . What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff's medical information was breached as a result of the health care provider's negligence. Because Platter's complaint failed to include any such allegation, the Regents's demurrer should have been sustained without leave to amend and the case dismissed."

There are several key points from this case—First, it greatly limits a plaintiff's ability to state a claim for health care data breaches, absent proof that a plaintiff's information was specifically accessed, and not just lost. Second, it provides an interesting benchmark for other, non-health care breaches that involve the loss of encrypted data and a password, because the Court did not find that the potential loss of encrypted data, and the password, was sufficient to show that information was actually accessed by a third-party in a way sufficient to state a claim. Third, it reinforces other, prior non-health care data breach cases that find that damages and causation can be difficult for plaintiffs to establish.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved