Court Rejects Class Action for Health Information Security Breach
A California appellate court recently ruled that a hospital was not liable for a patient information security breach where it could not be shown that any medical information actually had been disclosed. Eisenhower Medical Center v. Superior Court involved the theft of an unencrypted computer containing an index of more than 500,000 persons to whom the hospital had assigned a medical record number [226 Cal. App. 4th 430 (2014)]. The plaintiffs brought a class action on behalf of all of the persons whose names appeared on the index, alleging that the hospital had violated the California Confidentiality of Medical Information Act (CMIA) by maintaining their medical information in a negligent manner. Under CMIA, a person whose medical information is improperly disclosed can recover nominal damages of $1,000, even if he or she suffers no actual harm. Under this theory, the hospital was liable to the class for $500 million in total damages.