Two recent cases decided by two California appellate courts shed some light on what one source describes as “judicial reluctance” to award damages to individuals whose information was potentially leaked in a security breach. At least this was the result in these matters where the plaintiffs could not prove anything beyond minimal harm stemming from the breaches. Considering these decisions as well as the sharp increase of reports of breaches of security information in California and across the country, the question is raised, to what extent will these precedents be followed in other jurisdictions? Moreover, will the results change if the plaintiffs are able to prove more than minimal harm and what does that entail?
Data Breaches in California
In October, the California Attorney General’s Office released a report that, according to the California Attorney General, Kamala D. Harris, “sheds light on the threat that data breaches pose to California consumers and businesses, including an analysis of the information the Attorney General’s office collected on data breaches in California in 2013.” Describing the state as uniquely subject to developments in the security of sensitive information as it is both “the birthplace of the digital revolution” and the location of the world’s eighth largest economy, the report revealed that in 2013 the number of reported breaches grew by 28 percent over the number in 2012. The report disclosed that the number of Californians whose data was affected in 2013 increased by 600 percent, which was, as the report stated, “due largely to two massive retailer breaches, one of which, the Target breach, involved the payment card data of 41 million individuals, including 7.5 million Californians.”
With respect to health records, the report stated that in this industry, “breaches affected more records than in other industry sectors, with the exception of retail since the two mega breaches of 2013.” Because the majority of health care sector’s breaches (70 percent of breaches in this industry reported in the last two years) were due to stolen or lost hardware that contained unencrypted personal information, the report concluded that the “strategic use of encryption” with regard to information technology in this industry could make a large difference. Moreover, the report referenced other studies that have revealed the rise of criminal activity targeting personal health information, which is exacerbated by health care employees’ use of unsecured portable devices. The report summarized its findings and recommendations as follows: “The need to use encryption is a lesson that must be learned by the health care industry and we recommend that it be applied not only to laptops and portable media, but also to many computers in offices.”
Recent California Cases
Both recent cases were brought by individuals whose health records were subject to unauthorized data breaches in the state of California. Each suit was brought against the provider and keeper of those records pursuant to the California Confidentiality of Medical Information Act (CMIA). CMIA bars providers from unauthorized disclosures of patient information and provides for remedies at law and imposes nominal damages against providers that negligently release unauthorized information.
In Sutter Health v Superior Court (Atkins), after the California Supreme Court denied review of the case, a California appellate court’s ruling that the provider was not liable for the nominal $1,000 in damages to each of the members of the class action suit, which totaled $4.24 billion, stood. In this matter, the class of individuals brought charges against the provider after a thief broke into the provider’s office and stole a computer that contained the health records of over four million patients. Therefore, according to a report on the Sutter decision, “in California a health care provider is not liable for the nominal damages set forth in [the CMIA] when password-protected but unencrypted information is stored on a computer, and the device is stolen, absent evidence the data was actually viewed.”
Similarly, in a matter brought against Eisenhower Medical Center, a data breach was caused by the theft of a computer which contained a password-protected but not encrypted “index of over 500,000 patients’ names, medical record numbers, ages, dates of birth, and Social Security numbers.” In Eisenhower Medical Center v Superior Court (Riverside), a California appellate court found that the CMIA did not apply in situations that lacked a breach of information relevant to history of treatment, diagnosis, or care. “The mere fact that a person was a patient of the provider at some time, the court concluded, was insufficient to impose liability under CMIA,” according to commentary on the decision.
While some sources note that these rulings indicate that, despite the adoption of CMIA, “it could be difficult for patients to successfully sue California health care facilities over data breaches,” it is unclear how these matters would proceed given a different fact pattern regarding the details of the breach. While the California courts seemed to have carved out some exceptions or caveats to the prohibition of disclosure of unauthorized information under CMIA, how far do these exemptions go and to what extent will this trend be mirrored in other jurisdictions where data breaches are also on the rise?