Court: Breach Didn't Violate State LawStolen Computer Did Not Contain Medical Data
In a pre-trial decision, a California appellate court has ruled that Eisenhower Medical Center in Rancho Mirage is not liable for a breach of patient confidentiality under California's Confidentiality of Medical Information Act because a stolen unencrypted desktop computer with data on 500,000 patients did not contain medical information.
The Fourth Appellate District Division 2 Court of Appeals for the State of California on May 21 overturned a lower court's ruling in a class action suit against Eisenhower. The lower court had rejected the medical center's request for a "summary judgment" rejecting the plaintiff's primary claim that the medical center violated CMIA.
Legal observers say this case, and others, are bringing some clarity on how California courts are interpreting CMIA in healthcare data breach cases.
Now, the plaintiffs in the case against Eisenhower Medical Center plan to appeal the latest court ruling to the state Supreme Court. And the case is expected to go to trial in lower court on three other claims, including an amended complaint alleging that two other computers were stolen from the medical center in January 2011.
The Department of Health and Human Services' "wall of shame" tally of breaches affecting 500 or more individuals only lists one incident for Eisenhower Medical Center. That breach is the March 2011 theft of a desktop computer, which the HHS site says affected 514,330 individuals.
What the Court Ruled
In its ruling, the three-judge appellate panel concluded that "a healthcare provider cannot be held liable under the relevant portions of the CMIA for the release of an individual's personal identifying information that is not coupled with that individual's medical history, mental or physical condition, or treatment."
Attorney Stephen Wu, a partner specializing in data security at law firm Cooke Kubrick and Wu LLP, who is not involved in the case, says: "The ruling is a significant, half-billion-dollar victory for Eisenhower Medical Center." The plaintiffs were seeking $1,000 in damages under CMIA for each patient whose information was on the lost computer. The three other claims by plaintiffs in the suit "are worth a lot less," Wu says.
The decision by the appellate court was an "extraordinary writ remedy" that answers important questions before a case goes to trial, explained attorney Alan Harris of Harris & Ruble, which is representing the plaintiffs in the case. Harris says the lawsuit will move forward on the three other claims, and the plaintiffs will ask the California Supreme Court to review the appellate court decision .
"Maintaining the confidentiality of patient visits to a medical facility is crucial to encouraging those who are ill to seek treatment promptly, thereby reducing medical costs for our society and helping control the spread of contagious diseases," Harris says in a statement provided to Information Security Media Group. "The Court of Appeals acknowledged a patient's interest in maintaining confidentiality of visits to medical facilities when it noted that 'the very fact that a person is or was a patient of certain health care providers, such as an AIDS clinic, is more revelatory of the nature of that person's medical condition.' Patients of medical facilities such as Eisenhower Medical Center's Betty Ford Center, which provides alcohol and other drug dependency treatment services, understandably would wish the fact of their visits to remain confidential," he says about the data contained on the index of the stolen computer.
Eisenhower Medical Center said the unencrypted computer, which was stolen from the hospital on March 11, 2011, contained an index of more than 500,000 individuals to whom the hospital had assigned a clerical record number dating back to the 1980's, according to court documents.
The patient index backup file included each individual's name, medical record number, age, date of birth, and last four digits of their Social Security number. In Eisenhower's motion to the appellate court, the healthcare provider contended that the theft of the computer did not result in a disclosure of medical information of any of the listed persons on the index.
"Information about an individual's medical history, condition, or treatment is saved only on EMC's servers located in the data center," says the court document. "The index that was on the stolen computer is a subset of information from its master patient index and can be used in case of a power outage or network failure to look up the patient's medical record number so that a hard copy of the medical records can be located. The medical record number is sequential and contains no coded information."
The medical center argued that while the stolen index contained individually identifiable data ,such as patient names and medical record numbers, the index did not contain medical information, such as treatment details, as described in the CMIA. "We agree," the appellate court ruling says. "We note the issue thus drawn is a narrow one and does not require this court to determine whether there is a distinction between a disclosure or release of medical information under the CMIA, whether EMC was negligent in handling its computer records, or whether unauthorized persons actually viewed plaintiffs' medical records."
Privacy attorney Adam Greene of Davis Wright and Tremaine notes: "The Eisenhower Medical Center decision, coupled with a recent decision in Regents of the University of California v. Platter, substantially clarify and limit the scope of the CMIA. In Regents, a court of appeals held that, to demonstrate a violation of the CMIA, there needs to be evidence of actual impermissible access to information, not merely that it fell into the wrong hands," Greene says. "In Eisenhower, the court held that demographic information alone, even in a context that indicates that the individual is or was a patient of a health care provider, is not 'medical information.' In both of these cases, the court interpreted the text of CMIA differently from, and more narrow than, similar concepts under HIPAA."
Despite the two recent rulings, Greene still expects to see a large number of data breach class action lawsuits filed in California. He notes, however, that "these two decisions substantially limit the circumstances where plaintiffs can collect $1,000 per person under CMIA. We have not yet seen the California Supreme Court opine on these issues, though, so we may not have seen the final word."
Eisenhower Medical Center did not respond to Information Security Media Group's request for comment on the case.