A California appellate court recently dismissed a putative class action alleging that UCLA violated the California Confidentiality of Medical Information Act (CMIA) when an employee lost an encrypted hard drive containing 16,000 patient records. The court concluded that the plaintiff’s claim—which sought a whopping $16 million based on $1,000 in nominal damages for each record—failed to allege that any “release” to a third party actually occurred. Although the decision ostensibly applies only to the CMIA, it has potential broader implications for entities defending class actions seeking damages for data breaches.
In November 2011, UCLA notified approximately 16,000 patients that an encrypted hard drive containing personally identifiable medical information had been stolen from a physician’s home two months earlier. The burglars also stole an index card stored near the hard drive that contained the encryption key. On October 30, 2012, the plaintiff filed a putative class action alleging that UCLA “failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Although the plaintiff did not claim actual damages, she sought $1,000 in nominal damages for each of the 16,000 class members.
UCLA moved to dismiss the complaint, alleging that the hard drive theft did not constitute a “release” of information, which UCLA claimed was a prerequisite to recover nominal damages under the CMIA. Although the lower court agreed that the hard drive theft did not amount to a “release” of information (and struck that part of the complaint), the court also held that the CMIA provided remedies for negligent “maintenance, preservation, and storage of confidential data” (and thus permitted a claim to proceed on that basis).
The Appellate Opinion
The appellate court reversed, holding that the CMIA’s “remedies” section (Section 56.36(b)) permits the recovery of nominal damages only for the negligent “release” of confidential information. The court acknowledged that the CMIA also requires medical information to be maintained and stored confidentially (in Section 56.101), and that entities that fail to do so “shall be subject to the remedies” set forth in Section 56.36(b). The court held, however, that a “release” of information was still a prerequisite to recover nominal damages under Section 56.36(b) because the term “remedy” refers to the cause of action (i.e., for the “release” of information), not just the type of recovery (i.e., the nominal damages). In other words, the negligent failure to maintain and store information confidentially permits recovery of nominal damages only if that failure results in a “release” of the information.
In holding that nominal damages are available only for the “release” of information, the court distinguished between the statutory availability of nominal damages for the “release” of information (in Section 56.36(b)) and the separate provision permitting compensatory and punitive damages for the “disclosure” of information (in Section 56.35). To determine whether a “release” had occurred that would permit a nominal damages claim, the court therefore examined the difference between a “disclosure” and a “release.” Whereas a “disclosure” requires an affirmative act of communication, the word “release” is much broader, encompassing situations where information is “allowed to move away or spread from a source” or allowed “to escape confinement” such that it was accessed by a third party. Thus, although a “disclosure” may also fall into the broader category of a “release,” the converse is not necessarily true because a release may not involve an affirmative communication. The court concluded that the plain meaning of “release” encompassed a situation where a physician negligently maintains confidential information and thereby allows it to be accessed by a third party.
Turning back to the plaintiff’s complaint, the court noted that the plaintiff claimed only that UCLA had negligently “lost possession” of the hard drive. Even under a broad definition of the word “release,” the court held that merely losing possession of information was not a violation of the CMIA that permitted recovery of nominal damages. Absent an allegation that a third party actually accessed the information, thereby breaching the confidentiality of the information, the plaintiff could not establish any “release” in violation of the CMIA.
UCLA is hardly the first HIPAA-covered entity that has encountered the loss of a laptop or other storage device containing patient information – and it certainly will not be the last. So what helpful information can be gleaned from this opinion?
First, and most directly, this opinion suggests that the CMIA does not permit the recovery of nominal damages where information is lost, but there is no evidence that it was actually “released” – i.e., viewed by a third party. If this opinion stands, plaintiffs will not be able to morph a simple “negligent maintenance of records” claim into a claim for nominal damages under the CMIA short of an actual “release” of information.
Second, although the decision did not discuss the legal significance of encryption, the case highlights the trend toward encrypting data. Here, the theft of the encryption key along with the device undermined the security that encryption normally provides, but it is questionable whether notification would have occurred or the class action ever brought if an encrypted device, but not the key, had been stolen.
Finally, the opinion may provide persuasive authority for entities defending class actions in cases where a device is lost, but there is no evidence of misuse or access. Here, the court held that a “breach” (of confidentiality under the CMIA) only occurs when information is actually viewed. Although this holding should not be construed as a modification to breach notification standards under different state breach notification laws (which typically focus on unauthorized “access” to and/or “acquisition” of personal information) or the Health Insurance Portability and Accountability Act (HIPAA) (which focuses on unauthorized “acquisition, access, use or disclosure” of protected health information that compromises that information), the decision may still provide ammunition for entities defending private class actions. It remains to be seen how this will play out given the different definitions of “breach” in these various laws and the different causes of action that plaintiffs have brought, but this decision certainly provides entities with food for thought in lost device situations.