Stolen Hard-Drive of Medical Info Did Not Support Negligent Maintenance Claim

California’s Confidentiality of Medical Information Act (CMIA) prohibits health care providers and related entities from disclosing medical information regarding a patient without authorization except in certain specified instances. A patient may bring an action for actual damages, nominal (statutory) damages of $1,000, or both against any person or entity that negligently released confidential medical information concerning him or her in violation of the CMIA. Any health care provider who negligently creates, maintains or disposes of medical information is subject to the remedies and penalties provided in the sections regarding negligent release of confidential medical information.


The Regents advised certain patients treated at UCLA facilities that an encrypted external hard drive containing some of their personally identifiable medical information had been stolen as part of a home invasion robbery. The patients were also informed that the password for the encrypted information was written on an index card near the device and that card could not be located.


A woman had been treated on numerous occasions at Ronald Reagan UCLA Medical Center. She was one of the UCLA Health System patients who had been notified of the loss of the external hard drive and the related password needed to decode the encrypted data. She filed a class action lawsuit against the Regents of the University of California, through its UCLA Health System, for failing to have reasonable systems and controls in place to prevent the removal of protected medical information from one of its hospitals and, as a result, negligently losing possession of that information. She did not allege that she had suffered any actual damages, but sought statutory damages of $1,000 for herself and for each member of the putative class pursuant to the CMIA. The Regents filed a demurrer arguing that the CMIA did not authorize a private cause of action based solely on negligent maintenance or storage of medical information where no actual disclosure took place. The Los Angeles Superior Court overruled the Regents' demurrer to the woman's complaint. The Regents filed a writ of mandate to require the superior court to dismiss the woman’s complaint.


The California Court of Appeal, Second District, Division 7, granted the Regents’ petition and issued a writ of mandate to the superior court directing it to vacate its order overruling the Regents' demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action. Specifically, the court held that the CMIA allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because the woman could not allege her information was improperly viewed or otherwise accessed, the court granted the Regents' petition. The court expressly stated that the CMIA does not require an affirmative communicative act by the health care provider.


See: Regents of University of California v. Superior Court, 2013 WL 5616775 (Cal.App. 2 Dist., October 15, 2013)(not designated for publication).


See also Medical Law Perspectives, November 2012 Report: Liability for Electronic and Other Medical Record Information Disclosure