A state appellate court Monday ordered the dismissal of a lawsuit that could have cost Sutter Health more than $4 billion when it ruled that millions of the health care giant’s patients had no right to sue over the theft of a computer with their personal, medical and insurance records on its hard drive.
The court decided it has not been shown – and the patients have not alleged – that any unauthorized persons have actually viewed the contents of the hard drive, a fact that deprives the patients of grounds to seek civil damages.
Soon after Sutter’s announcement in November 2011 that a desktop computer had been stolen from a South Natomas office, patients began filing individual lawsuits alleging violations of California’s Confidentiality of Medical Information Act. Those suits were eventually coordinated and a master complaint, proposed as a class action, was filed in Sacramento Superior Court.
The complaint sought $1,000 compensation for each patient – the nominal damages provided for in the confidentiality statute – with a potential award totaling more than $4 billion.
Never miss a local story.
Superior Court Judge David F. De Alba rejected Sutter’s attempt to get the case thrown out. He said the patients’ complaints were sufficient without an allegation that an unauthorized person had viewed the hard drive’s contents.
But a three-justice panel of the 3rd District Court of Appeal on Monday declared that the confidentiality statute requires proof that an unauthorized person has accessed the stolen material.
“It is the medical information, not the physical record (whether in electronic, paper, or other forms), that is the focus of the Confidentiality Act,” the appellate opinion states. “While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced” by the act.
Providing $1,000 in damages to every person whose medical information merely came into the possession of an unauthorized person “would lead to unintended results,” the opinion says.
“For example,” the justices said, “if a thief grabbed a computer containing medical information on 4 million patients, but the thief destroyed the electronic records to reformat and wipe clean the hard drive and sell the computer without ever viewing the information or even knowing it was on the hard drive, the health care provider would still be liable, at least potentially, for $4 billion. For all we know, that may have happened here.”
The panel’s unanimous decision generally tracks the reasoning of one of the arguments put forth by Sutter at the outset of the case. Acting Presiding Justice George Nicholson authored the published opinion, with the concurrences of Associate Justices Louis Mauro and Elena J. Duarte. The panel sent the matter back to De Alba and ordered him to dismiss the suit.
Sutter spokesman Bill Gleeson issued the following prepared statement:
“Sutter Health is pleased that the judicial process resulted in a ruling that will end litigation, which, if it had continued, would have diverted resources better spent on patient care, and would have increased the likelihood that private patient records would be used in litigation, even though no injury to patient confidentiality ever resulted from the theft.”
The three lead attorneys for the patients, C. Brooks Cutter and Robert Buccola of Sacramento and Michael Ram of San Francisco, did not respond to requests for comment.
The computer was taken, along with monitors and other equipment, during an Oct. 15, 2011, break-in at offices occupied by Sutter Health Foundation on Gateway Oaks Drive.
Records of more than 4 million patients were stored on the hard drive in password-protected but unencrypted format, and the office from which the computer was taken did not have a security alarm or security cameras.
“Sutter should’ve had that under lock and key, not protected by a pane of glass,” Buccola said after the theft was announced by Sutter. “If there’s proprietary information in their files, they have a financial interest to make sure security is of the utmost importance.”
Information on 3.3 million patients whose providers were supported by Sutter Physician Services were on the hard drive. Their names, addresses, email addresses, dates of birth, telephone numbers and names of their health insurance plans dating from 1995 were in the database. Sutter Physician Services supplies billing and managed-care services for health care providers, including the Sutter Health network.
The computer held the same information for 943,000 Sutter Medical Foundation patients. With respect to those patients from January 2005 to January 2011, the information included descriptions of medical diagnoses or procedures used for business operations.