Sutter Health Breach Suit DismissedCourt Decision Follows Similar Rulings in Other Cases
A consolidated class action lawsuit against Sutter Health related to a breach impacting more than 4 million individuals has been dismissed by an appellate court in California. The court's decision follows a number of other recent dismissals in similar health data breach suits.
See Also: The Power and Scale of XDR
The California Third District Court of Appeal on July 21 ordered the dismissal of 13 coordinated class action lawsuits filed following the October 2011 theft of a Sutter Health unencrypted desktop computer containing patient data for about 4.2 million patients. The lawsuit was potentially one of the largest class actions to date involving a health data breach.
In dismissing the case, the court ruled that "plaintiffs have failed to state a cause of action under the [California] Confidentiality Medical Information Act because they do not allege that the stolen medical information was actually viewed by an unauthorized person."
Interpretation of State Law
Among other remedies, the Confidentiality Act provides for an award of $1,000 in nominal damages to a patient if the healthcare provider negligently releases medical information or records in violation of the Confidentiality Act, the ruling notes.
In its decision, the appeals court ruled that Sutter Health did not intend to disclose the medical information to the thief, and that Sutter Health's actions with respect to the records did not fail to preserve their confidentiality, because loss of possession alone is "not a breach of confidentiality."
Plaintiffs in the case are appealing the decision to California's Supreme Court, says attorney J.R. Parker of the law firm, Kershaw, Cutter & Ratinoff, which represented the plaintiffs.
"We disagree with the court of appeals," he says. He says the ruling by the appeals court is equivalent to saying that had the Sutter incident involved cardboard boxes of paper records left on the road, instead of a stolen computer, there would be no breach if it was unknown whether the paper records were viewed by anyone. He stresses that there's a risk the records on the missing computer have been viewed.
But privacy and security attorney Stephen Wu of law firm Silicon Valley Law Group, who is not involved in the Sutter case, says although thieves who stole the Sutter computer may have viewed the data contained on the device, there's no way of confirming that because the computer has not been found and the thieves have not been identified.
"There's no proof the data was viewed, and so the court ruled there's no claim under the Confidentiality Act," he says. "The court is saying it suspects the motive of the thieves was to steal the computer to resell it, not for the data it contained."
What Was on Computer?
No financial information, Social Security numbers, health plan ID numbers or medical records were on the desktop device, which was stolen during the weekend of Oct. 15-16, 2011, from an administrative office of the Sutter Medical Foundation, a physician network based in Sacramento, Calif. that's part of Sutter Health, according to court documents.
The stolen computer contained a database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units. That database included information on about 3.3 million patients collected from 1995 through January 2011. Included were names, addresses, dates of birth, phone numbers, some e-mail addresses, medical record numbers and the names of patients' health insurance plans.
The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures. Only this portion of the breach is included in the Department of Health and Human Services "wall of shame" website listing major health data breaches affecting more than 500 individuals.
A statement on Sutter's website notes: "No information from the stolen computer ever surfaced after the building break-in and theft."
In its statement, Sutter says it is "pleased that the judicial process resulted in a ruling that will end litigation, which if it had continued, would have diverted resources better spent on patient health care. Continued litigation would also have increased the likelihood that private patient records would be used in litigation, even though no injury to patient confidentiality ever resulted from the theft."
Sutter Health spokesman Bill Gleeson tells ISMG: "Sutter Health is constantly looking for ways to enhance data security and protect the privacy of our patients and staff. We encrypt our computers and hand-held devices and have invested in and installed an advanced scanning software that monitors and blocks confidential information from leaving our network."
The Sutter Health decision follows the recent dismissals of a handful of other similar breach lawsuits. That includes the July 10 dismissal by a Kane County, Ill., judge of a class action suit filed against Advocate Health Care last October (see Breach Lawsuits: Why Winning is Tough). That suit was filed the wake of the July 2013 theft of four unencrypted computers from a Chicago-area Advocate physicians' office, which may have exposed information on 4 million patients.
In May, a similar class action suit against Advocate that was filed last year in Lake County, Ill., Circuit court was also dismissed. In that case, the court also ruled that there was no evidence of identity theft or fraud as a result of the theft. A hearing to reconsider that Lake County ruling is set for Sept. 3.
Also in May, a federal district judge dismissed the majority of a consolidated class action lawsuit that was filed against TRICARE, the military health program, and Science Applications International Corp. in the wake of a 2011 data breach that affected nearly 5 million individuals. That incident is the largest data breach reported to federal regulators under the HIPAA breach notification rule.
Privacy attorney Adam Greene, a partner with the Washington law firm David Wright Tremaine, says the recent rulings "fit with the general trend that we have seen of courts dismissing breach cases due to lack of actual harm and, therefore, a lack of standing."