Data privacy is a hot topic. We regularly speak on data privacy at Reed Smith’s annual California continuing legal education day, and it takes hours to prepare because the landscape changes so rapidly. The law changes day-by-day, both legislatively and in our courts, and entire emerging industries (e.g., the “apps” industry) are organized around the collection and monetization of personal information disclosing what we do, when we do it, for how long, and where we are located. The very definition of “privacy” is now robustly debated, which is a significant change from the days when everyone knew that “private” information meant name, date of birth, social security number, account numbers, or some combination thereof. Today if you asked 25 privacy professionals to define “private” information, you might get 25 answers, and some would say “everything.”
When we expanded our drug and medical device practice into the data privacy realm a few years ago (along with the co-author of this post, Reed Smith’s Joshua Marker, an outstanding privacy lawyer and active blogger in his own right), we found that the healthcare industry was, for the most part, ahead of the game because the rules were relatively clear. Everyone agreed that personal health information was private, and there was HIPAA, the ubiquitous federal law that has regulated the security and privacy of personal health information since enacted in 1996. Drug and medical device companies typically are not HIPAA-covered entities, but they often have possession of personal health information in connection with patients who use their products, and our experience is that our clients and the lawyers who represent them take patient privacy very seriously.
One thing that has not changed is that there is no private right of action under HIPAA. That does not mean, of course, that plaintiffs have not tried to sue over breaches of security involving their private information. A handful of cases have permitted state law claims supported in part by alleged HIPAA violations, pleaded as claims like “negligence per se.” And there are numerous state laws regulating medical information that have garnered more attention as data privacy has become front-page news.
One such state law is the topic of today’s post—the California Confidentiality of Medical Information Act and a newly published opinion that correctly determined that a plaintiff cannot sue where private information was lost, but there is no evidence (or even an allegation) that anyone ever viewed it. No harm, no foul. The case has broad appeal because the fact pattern is so typical of “data security breach” lawsuits: Private information resides on a stolen hard drive or is sent off into the ether with nary an indication that anyone received, reviewed, used, or otherwise paid any attention to the information. At another level, such lawsuits (which are usually class actions) almost never articulate any credible basis that the plaintiffs suffered any actual harm.
In Regents of the University of California v. Superior Court, No. B249148, 2013 WL 5616775 (Cal. Ct. App. Oct. 15, 2013), a doctor took home a hard drive that contained personal health information for 16,000 patients. The opinion does not say why the doctor would do that, but it really doesn’t matter because the hard drive and the encryption passcodes were stolen. Id. at *2. They were never recovered; no one knows what happened to them; and no one knows whether the thief viewed or even attempted to view the information. Maybe the thief wiped the disk clean and sold it at a flea market, or maybe he dumped it in a trash bin. The point is that nobody knows, and the plaintiffs could not and did not allege that there had been any “disclosure” of medical information.
Instead they sued under the Confidentiality of Medical Information Act (“CMIA”) and alleged that the defendant had “failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Id. In other words, the defendants had breached a duty under the CMIA to reasonably maintain, preserve, and store personal health information, separate and apart from any duty to prevent “disclosure” of medical information. The kicker is that the plaintiffs claimed statutory damages of $1,000 per patient, for themselves and each of the 16,000 putative class members, even though they did not suffer and did not allege any actual harm. Id.
The trial court denied the defendant’s motion to dismiss, reasoning that the statute did not require allegations of the actual release of information to support a “negligent storage” claim. Orders like this cause us to scratch our heads. Not only were there no alleged injuries, but there also was no activity that could possibly have resulted in an actual injury. Sure the plaintiffs alleged negligence under the statute, but the lack of reasonable care in a vacuum, whether covered by a statute or not, should not be sufficient to claim damages in a court of law.
Fortunately, the Court of Appeal read the statute our way and granted an extraordinary writ directing the trial court to dismiss the claims without leave to amend, ruling that there is a private right of action for negligent maintenance of confidential medical information “only when such negligence results in unauthorized or wrongful access to the information.” Id. at *1 (emphasis added). The plaintiff had satisfied the initial pleading requirement by alleging that her confidential medical information was on the stolen hard drive. But “more is required.” Id. at *8. The plaintiff also had to plead and prove that her confidential medical information had been “released,” which means that the defendant had to have “negligently maintained confidential medical information and thereby allowed it to be accessed by an unauthorized third person.” Id. (emphasis added).
This holding follows the plain meaning of the statute, and it also makes sense. As the Court of Appeal observed near the end of its opinion, a plaintiff ultimately has to prove that the confidential nature of medical information “was breached as a result of the heath care provider’s negligence.” Id. at *12 (emphasis added). A breach is more than the mere loss of information, with no apparent consequence and no known instances of anyone actually gaining access to the confidential information. In our view, the court appropriately limited private rights of action under the CMIA and did so in a principled way.
Aside from cutting off liability where there should be none, the court’s holding that access to the confidential information was required has another added benefit for the defense. This case, like all data privacy breach cases, was a class action, and by keying liability for negligent storage to “access by an unauthorized third person,” the court has reinforced that liability under the CMIA must be adjudicated on an individual, plaintiff-by-plaintiff basis, with each bearing the burden of proving that someone gained access to his or her confidential medical information as a result of the defendant’s negligence. This opinion is therefore doubly useful, both on liability and on class certification. The larger message from your Drug and Device Law Bloggers is that data privacy is a developing target and worth keeping an eye on.