We expanded our practice into data privacy and security out of practical necessity. Expectations surrounding privacy of personal information are evolving, and the laws that regulate data privacy change every day, generally to expand protection for private information. Another thing that has changed is that we used to say that drug companies and medical device manufacturers are typically not HIPAA-covered entities. While this still may be generally true, we have come to find that many drug and medical device companies, if not HIPAA-covered entities themselves, have subsidiaries that are. Regardless, whether HIPAA covered or not, drug and medical device manufacturers increasingly have possession of private personal health information for the patients who are treated with their products.
Our collective interest in data privacy led us to give you our gloss on Regents of the University of California v. Superior Court, 220 Cal. App. 4th 549 (2013), which involved claims under California’s Confidentiality of Medical Information Act. Unlike HIPAA, the CMIA permits a private right of action and allows for the recovery of substantial statutory damages. The case involved the theft of a hard drive containing medical records, and the California Court of Appeal held that a plaintiff cannot sue where private information was lost, but there is no evidence (or even an allegation) that anyone ever viewed it. The vast majority of data privacy cases, all of them class actions, do not and cannot allege any actual harm to the plaintiffs. The Regents case was no exception, and the California court came absolutely to the correct conclusion: No harm, no foul.
The Court of Appeal has now followed that opinion with another that got it right, but for slightly different reasons that should help put an end to this kind of wasteful litigation. In Sutter Health v. Superior Court, No. C072591, 2014 WL 3589699 (Cal. Ct. App. July 21, 2014), a thief again stole computer media that contained medical records. As in Regents, no one knows what happened to the information: For all anyone knows, the thief took the stolen computer apart, wiped it clean, and sold it in pieces. Maybe he is using the hard drive as a door stop. Nobody knows, and the plaintiffs could not and did not allege that anyone ever viewed their medical information.
The earlier Regents opinion had reasoned that because no one ever viewed the medical information, no “release” of confidential information had occurred, as required to state a CMIA claim. A conclusion with which we wholeheartedly agree. The Court of Appeal in Sutter Health went one step further and held that there was no alleged “breach” of confidential information in the first place. Sure, confidential information changed hands. But the harm against which the statute protects is the breach of confidentiality. A mere change of possession does not amount to a breach and thus does not invoke the statute’s remedies. As the court observed,
No breach of confidentiality takes place until an unauthorized person views the medical information. It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act. While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act. . . . This change of possession increased the risk of a confidentiality breach. But the Confidentiality Act does not provide for liability for increasing the risk of a confidentiality breach.
Sutter, at *6. We like this statement because it makes so much sense. It is also the counter statement to the absurdity that otherwise would prevail: If the mere change of possession, and nothing more, were sufficient to state a claim, plaintiffs could force expensive litigation and potentially recover statutory damages when nothing actually happened to them. As the court said, “We cannot interpret a statute to require such an unintended result.” Id at *7.
Unintended? We suppose we agree with that, but other words come to mind. Such as unfair. Or unjust. Or “you gotta be kidding me.” Choose your own term, and bear in mind that data privacy issues will not go away anytime soon. The CMIA is not the cash cow that the plaintiffs’ bar thought it might be, but they will keep trying to find something else.