If a tree falls unseen in the forest, has it truly fallen? If the unencrypted medical records of 4 million people vanish with a stolen desktop computer, has there really been a security breach?
A Sacramento County Superior Court said yes, but a state appellate court said no and last week the California Supreme Court issued a one-line statement that it would not get involved. The appellate court ruled that victims of the data loss did not have a claim for damages because they could not prove that the data was looked at by the thief.
The alleged security breach occurred on October 17, 2011, when a laptop was swiped from Sutter Medical Foundation. It contained data on 943,000 patients and another 3.3 million records of other health care providers for whom the foundation provides billing and managed care services.
It is a not-unfamiliar story. Medical records are hot commodities on the black market. They can be used for insurance fraud as well as the standard bank and credit card fraud associated with identity theft. The U.S. Department of Health and Human Services (HHS) lists 19 breaches of health privacy information, affecting at least 500 patients each, in California this year.
They occurred via desktop computer, laptop, other portable electronic devices, e-mail and paper. Three of the breaches involved more than 3 million patients each. Often, the data was unencrypted and the security lax.
After the Sutter breach, plaintiffs sought court permission to bring a lawsuit on behalf of all the patients whose records were stolen. The plaintiffs argued that the state Confidentiality of Medical Information Act (pdf) protects patients when a health care provider negligently releases medical information it shouldn't. In addition to not encrypting the information, the Sutter office lacked a security alarm or cameras.
The statute reads: “Any provider of health care . . . who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties.”
The plaintiffs argued that the damage done may not be known for years. They sought $1,000 from Sutter for each patient, as prescribed by the law, for a total of $4 billion.
Sutter said unless there was proof that the files had been read, there had been no breach of confidentiality. The court agreed and offered this example. “If a thief grabbed a computer containing medical information on four million patients, but the thief destroyed the electronic records to reformat and wipe clean the hard drive and sell the computer without ever viewing the information or even knowing it was on the hard drive, the health care provider would still be liable, at least potentially, for $4 billion. For all we know, that may have happened here.”
It may have. But that wouldn't have precluded the court from finding there had been a breach of confidentiality when the data was stolen, and reducing the damages because of mitigating circumstances; i.e. the data had been destroyed.
The three-judge appellate court unanimously decided there had been no breach and the Supreme Court did not disagree.