Filed 7/21/14
CERTIFIED FOR PUBLICATION
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA
THIRD APPELLATE DISTRICT
(Sacramento)
----
SUTTER HEALTH et al., C072591
Petitioners, (JCCP No. 4698)
v.
THE SUPERIOR COURT OF SACRAMENTO
COUNTY,
Respondent;
DOROTHY ATKINS et al.,
Real Parties in Interest.
ORIGINAL PROCEEDING in mandate. Petition granted. David De Alba, Judge.
Bartko, Zankel, Tarrant & Miller, Bartko, Zankel, Bunzel & Miller, Robert H.
Bunzel, William I. Edlund, and Michael D. Abraham for Petitioners.
1
Crowell & Moring and Ethan P. Schulman for the California Association of
Health Plans and the Association of California Life and Health Insurance Companies as
Amici Curiae on behalf of Petitioners.
Lois J. Richardson for California Hospital Association as Amicus Curiae on behalf
of Petitioners.
Munger, Tolles & Olson, Bradley S. Phillips, Michelle A. Friedland, and Amelia
L.B. Sargent for the Regents of the University of California as Amici Curiae on behalf of
Petitioners.
Sedgwick, Stephanie Sheridan, Kelly Savage Day, and Alison Andre for Alere
Home Monitoring, Inc., as Amici Curiae on behalf of Petitioners.
No appearance for Respondent.
Ahdoot & Wolfson, Robert Ahdoot, Tina Wolfson, Theodore W. Maya, Bradley
King; Kershaw Cutter & Ratinoff, C. Brooks Cutter, William A. Kershaw, John R.
Parker, Jr.; Ram, Olson, Cereghino & Kopczynski, Michael F. Ram, Jeffrey B.
Cereghino, Matt J. Malone; Dreyer Babich Buccola Wood Campora, Robert A. Buccola,
Steven M. Campora; Audet & Partners, William M. Audet, Joshua C. Ezrin; Keller
Grover, Eric A. Grover, Carey G. Been; Law Offices of Scot D. Bernstein, Scot
Bernstein; Harris & Ruble, Alan Harris, Abigail A. Treanor, Priya Mohan; The Law
Office of Darryl A. Stallworth, Darryl A. Stallworth; Clayeo C. Arnold, Clifford L.
Carter, Kirk J. Wolden, Clayeo C. Arnold; Meiselman, Denlea, Packman, Carton &
Ebertz, James R. Denlea, Jeffrey I. Carton, Jeremiah Frei-Pearson; Trial Law Offices of
Bradley I. Kramer, M.D., Bradley I. Kramer; Mastagni, Holstedt, Amick, Miller &
Johnsen, David P. Mastagni, and David E. Mastagni for Real Parties in Interest.
Kabateck Brown Kellner, Brian S. Kabateck, Richard L. Kellner, and Scott M.
Malzahn for Consumer Attorneys of California, Consumer Federation of California,
Consumer Action, Privacy Rights Clearinghouse, Privacy Activism, California Alliance
for Retired Americans, and California Advocates for Nursing Home Reform as Amici
Curiae on behalf of Real Parties in Interest.
The Confidentiality of Medical Information Act, which we refer to in this opinion
as the Confidentiality Act, protects the confidentiality of patients’ medical information.
(Civ. Code, § 56 et seq.; all remaining code citations, though unspecified, are to the Civil
2
Code.) Among other remedies, the Confidentiality Act provides for an award of $1,000
in nominal damages to a patient if the health care provider negligently releases medical
information or records in violation of the Confidentiality Act. (§ 56.36, subd. (b)(1).)
In this case, a thief stole a health care provider’s computer containing medical
records of about four million patients. The plaintiffs filed an action under the
Confidentiality Act, seeking to represent, in a class action, all of the patients whose
records were stolen, with a potential award of about $4 billion against the health care
provider. The health care provider demurred to the complaint and moved to strike the
class allegations, but the trial court overruled the demurrer and denied the motion to
strike. On the petition of the health care provider, we issued an alternative writ of
mandate to review the trial court’s rulings.
We conclude that the plaintiffs have failed to state a cause of action under the
Confidentiality Act because they do not allege that the stolen medical information was
actually viewed by an unauthorized person. We therefore grant the health care provider’s
petition for a peremptory writ of mandate and direct the trial court to sustain the health
care provider’s demurrer without leave to amend and dismiss the action.
The parties also argue other questions such as whether a class action is proper
under these circumstances and whether a potential award of about $4 billion in nominal
damages would violate the health care provider’s due process rights. We do not reach
these questions because our conclusion that the plaintiffs have not stated a cause of action
for violation of the Confidentiality Act resolves the petition for relief.
BACKGROUND
The real parties in interest (the plaintiffs) allege that the petitioners (Sutter Health
and several other defendants, which we refer to in this opinion simply as Sutter Health
because there is no reason to differentiate) violated sections 56.10 and 56.101 of the
Confidentiality Act, which invoked the remedy provision of 56.36. The relevant parts of
those statutes provide as follows:
3
“A provider of health care . . . shall not disclose medical information regarding a
patient of the provider of health care . . . without first obtaining an authorization, except
as provided in subdivision (b) or (c).” (§ 56.10, subd. (a).) Subdivisions (b) and (c) list
circumstances under which the health care provider must or may disclose records. None
of those circumstances is relevant to this action.
“Every provider of health care . . . who creates, maintains, preserves, stores,
abandons, destroys, or disposes of medical information shall do so in a manner that
preserves the confidentiality of the information contained therein. Any provider of health
care . . . who negligently creates, maintains, preserves, stores, abandons, destroys, or
disposes of medical information shall be subject to the remedies and penalties provided
under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).)
“In addition to any other remedies available at law, any individual may bring an
action against any person or entity who has negligently released confidential information
or records concerning him or her in violation of this part, for either or both of the
following: [¶] (1) . . . nominal damages of one thousand dollars ($1,000). In order to
recover under this paragraph, it shall not be necessary that the plaintiff suffered or was
threatened with actual damages. [¶] (2) The amount of actual damages, if any, sustained
by the patient.” (§ 56.36, subd. (b).)
These proceedings are based on the well-pleaded facts alleged in the plaintiffs’
complaint. (Brown v. Mortensen (2011) 51 Cal.4th 1052, 1057, fn. 1 (Brown).)
Sutter Health maintained medical records concerning the plaintiffs. In October
2011, someone broke into an office of Sutter Health and stole a desktop computer. The
medical records of more than four million patients were stored on the computer’s hard
drive in password-protected but unencrypted format, and the office from which the
computer was taken did not have a security alarm or security cameras.
In November 2011, Sutter Health publicly announced that the medical records had
been stolen. Soon after the announcement, the plaintiffs began filing individual
4
complaints alleging violation of the Confidentiality Act. Those actions were coordinated,
and a master complaint was filed.
The complaint does not allege that any unauthorized person has actually viewed
the stolen records from the password-protected but unencrypted hard drive. Instead, the
complaint alleges: “Plaintiffs are informed and believe that potential misuses of personal
medical information may not manifest itself for numerous years, and furthermore that
credit monitoring services survey only a small segment of such potential misuses.”
The plaintiffs model their complaint as a class action, seeking to represent “[a]ll
persons residing in the State of California whose ‘medical information’ . . . was present
on a computer stolen [in October 2011] from [Sutter Health].” (Italics omitted.) The
complaint alleges that Sutter Health violated sections 56.10 and 56.101 of the
Confidentiality Act and seeks an award of $1,000 in nominal damages for each class
member under section 56.36, subdivision (b)(1). Because the complaint alleges that
Sutter Health violated the Confidentiality Act with respect to about four million patients
and seeks $1,000 per patient, the complaint potentially seeks about $4 billion in nominal
damages.
Sutter Health filed a demurrer to the complaint. It argued, among other things,
that the complaint does not state a cause of action under the Confidentiality Act because
it does not allege that any unauthorized person has viewed the stolen medical
information. Sutter Health also filed a motion to strike the class allegations in the
complaint because, among other things, the Confidentiality Act allows individual actions
only.
The trial court overruled the demurrer. It held that the complaint sufficiently
pleaded a cause of action for breach of the Confidentiality Act without alleging that an
unauthorized person had viewed the medical information.
The court also denied the motion to strike. It did not reach the merits of whether
the Confidentiality Act allows a class action. Instead, it ruled that the question would
5
more appropriately be addressed in class certification proceedings, which had not yet
taken place. (The court struck a prayer for injunctive and equitable relief in the
complaint, but that part of the ruling is not at issue in these proceedings.)
Sutter Health filed a petition for writ of mandate, and we issued an alternative
writ.1
DISCUSSION
The plaintiffs failed to state of cause of action under the Confidentiality Act
because they failed to allege a breach of confidentiality. The mere possession of the
medical information or records by an unauthorized person was insufficient to establish
breach of confidentiality if the unauthorized person has not viewed the information or
records. Therefore, the trial court should have sustained Sutter Health’s demurrer.
Regents of University of California v. Superior Court
Before we discuss the application of the Confidentiality Act to the facts as pleaded
in this case, we turn to a recent decision of the Court of Appeal, Second Appellate
District, Division Seven (opn. by Perluss, P.J., with Woods & Zelon, JJ., conc.).
1 We have received amicus curiae briefs (1) in support of Sutter Heath from the
California Association of Health Plans and an associated entity, the California Hospital
Association, the Regents of the University of California, and Alere Home Monitoring,
Inc., and (2) in support of the plaintiffs from Consumer Attorneys of California and
associated entities.
The plaintiffs, Sutter Health, and amici Consumer Attorneys of California and
associated entities have separately filed requests for judicial notice, none of which has
been opposed. The plaintiffs request judicial notice of legislative history documents.
The request is granted. (See Kaufman & Broad Communities, Inc. v. Performance
Plastering, Inc. (2005) 133 Cal.App.4th 26, 31-39 (Kaufman & Broad).) Sutter Health
requests judicial notice of documents and matters concerning which the trial court took
judicial notice. The request is granted. (Evid. Code, § 459.) And amici Consumer
Attorneys of California and associated entities request judicial notice of additional
legislative history documents. The request is granted. (See Kaufman & Broad, supra, at
pp. 31-39.)
6
(Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549
(Regents).) The parties in this case provided supplemental briefing on the effect of
Regents on the issues presented here.
In Regents, a physician took home an external hard drive with encrypted medical
information on it. He kept the encryption password on a card with the computer. During
a home invasion robbery, the external hard drive and the card with the password were
taken from the physician’s home. (Regents, supra, 220 Cal.App.4th at p. 554.) The
plaintiff, whose medical information was on the hard drive along with the medical
information of more than 16,000 other patients, did not allege that the medical records
were viewed by an unauthorized person. (Id. at pp. 554, 570.)
The plaintiff in Regents filed a complaint alleging violation of the Confidentiality
Act and seeking $1,000 in nominal charges for her and for each of the more than 16,000
other patients whose medical information was on the hard drive. (Regents, supra, 220
Cal.App.4th at pp. 554-555.) The defendant health care provider demurred to the
plaintiff’s complaint, and the trial court overruled the demurrer. (Id. at pp. 555-556.)
The Court of Appeal, however, issued a writ of mandate directing the trial court to
sustain the demurrer and dismiss the action. (Id. at p. 571.)
Three elements of the Regents decision are relevant to our discussion of the issues
in this case.
First, the Regents court made the following preliminary statement about the
application of section 56.101 to the facts of that case: “The superior court found, and the
Regents does not dispute, [plaintiff’s] complaint adequately alleges the Regents violated
the duty imposed by section 56.101, subdivision (a), to maintain and store medical
information in a manner that preserves the confidentiality of that information.
[Citation.]” (Regents, supra, 220 Cal.App.4th at p. 560.) After making this statement,
the Regents court went on to consider whether, having violated section 56.101, the health
7
care provider is subject to nominal damages under section 56.36. As we explain below,
we do not agree that section 56.101 is violated without an actual confidentiality breach.
Second, the Regents court considered the health care provider’s argument that
negligent release, as the term is used in section 56.36, subdivision (b), requires an
affirmative communicative act. In other words, having the records stolen is not a release
of the records because the health care provider did not affirmatively communicate the
information in those records. (Regents, supra, 220 Cal.App.4th at pp. 564-565.) The
court rejected the argument. It differentiated between “disclose” and “release” as used in
the Confidentiality Act. “Disclosure” is covered in section 56.10, subdivision (a) and
refers to affirmative communicative acts–giving out medical information on a patient.
On the other hand, release of medical information, as “release” is used in section 56.36, is
broader. The court said: “[U]nder the usual and ordinary meaning of the statutory
language, a health care provider who has negligently maintained confidential medical
information and thereby allowed it to be accessed by an unauthorized third person–that is,
permitted it to escape or spread from its normal place of storage–may have negligently
released the information within the meaning of [the Confidentiality Act].” (Regents,
supra, at p. 565, italics added, fn. omitted.)
For the purpose of this writ petition, we will assume without deciding that Regents
is correct in this regard–that negligent release under section 56.36 does not require an
affirmative communicative act but instead can be accomplished by negligently allowing
information to end up in the possession of an unauthorized person.
Third and finally, the Regents court held that to qualify for an award of nominal
damages under section 56.36, subdivision (b)(1), a plaintiff must plead and prove that the
records (in both that case and this case, the stolen records) were actually viewed by an
unauthorized person. (Regents, supra, 220 Cal.App.4th at pp. 569-570.) The court said:
“Even under the broad interpretation of ‘release’ we believe the Legislature intended in
section 56.36, subdivision (b), as incorporated into section 56.101, more than an
8
allegation of loss of possession by the health care provider is necessary to state a cause of
action for negligent maintenance or storage of confidential medical information.
[Citations.] What is required is pleading, and ultimately proving, that the confidential
nature of the plaintiff’s medical information was breached as a result of the health care
provider’s negligence.” (Regents, supra, at p. 570, fn. omitted.)
As we explain below, we agree with this conclusion, but we arrive at the
conclusion differently from the Regents court by finding that, without an actual
confidentiality breach, a health care provider has not violated section 56.101 and
therefore does not invoke the remedy provided in section 56.36.
Before we consider the statutes at issue, we must consider the plaintiffs’ argument
that Regents is factually distinguishable from this case and cannot be used as on-point
precedent. The plaintiffs argue that the loss of the medical information in this case was
“far more egregious” than the loss of medical information in Regents because the
electronic files in that case were encrypted while the electronic files in this case were
unencrypted. We disagree concerning the effect of encryption. Although the electronic
files in Regents were encrypted, the thief apparently also took the encryption password,
which was with the hard drive. That is tantamount to leaving the files unencrypted.
Here, although the files were not encrypted, they were password-protected. In any event,
the main pleading problem for the plaintiffs in this case and in Regents is the same: there
is no allegation that the medical information was viewed by an unauthorized person. The
factual differences in Regents do not temper its application to the facts of this case.
Section 56.10
Section 56.10 prohibits disclosure of medical information except when the
disclosure is permitted under the Confidentiality Act. Disclosure is not defined in the
statute, but the context and ordinary meaning suggest that disclosure occurs when the
health care provider affirmatively shares medical information with another person or
entity. (Regents, supra, 220 Cal.App.4th at p. 564.) The statute contains a lengthy list of
9
circumstances under which the health care provider must or may disclose medical
information, circumstances which do not violate the nondisclosure duty. (See § 56.10,
subds. (b) & (c).) Thus, disclosure, under section 56.10, subdivision (a) implies an
affirmative communicative act.
Here, there is no dispute that the computer was stolen by, not given to, the
unauthorized person. Sutter Health did not intend to disclose the medical information to
the thief, so there was no affirmative communicative act by Sutter Health to the thief. As
a result, section 56.10 does not apply to the facts of this case.
Section 56.101
Unlike section 56.10, which prohibits disclosure of medical information except
under specified circumstances, section 56.101 refers to the broader duties of the health
care provider with respect to the confidentiality of the medical information. The
language of section 56.101, subdivision (a) makes it clear that preserving the
confidentiality of the medical information, not necessarily preventing others from gaining
possession of the paper-based or electronic information itself, is the focus of the
legislation. Therefore, if the confidentiality is not breached, the statute is not violated.
The first sentence of subdivision (a) of section 56.101 provides: “Every provider
of health care . . . who creates, maintains, preserves, stores, abandons, destroys, or
disposes of medical information shall do so in a manner that preserves the confidentiality
of the information contained therein.” (§ 56.101, subd. (a), italics added.)
This sentence allows for change of possession as long as confidentiality is
preserved. For example, the subdivision imposes on the health care provider the duty to
maintain confidentiality in the manner in which the medical information is abandoned or
disposed of. Therefore, it cannot be said that section 56.101 imposes liability if the
health care provider simply loses possession of the medical records. Something more is
necessary–that is, breach of confidentiality.
10
The California Supreme Court recognized this legislative intent to protect the
confidentiality of medical information in a case dealing with the Confidentiality Act.
(Brown, supra, 51 Cal.4th 1052.) Although Brown was a disclosure case, not a release
case, the Supreme Court’s recognition of the intended protection is still helpful. “The
Confidentiality Act ([] § 56 et seq.) ‘is intended to protect the confidentiality of
individually identifiable medical information obtained from a patient by a health care
provider . . . .’ [Citations.]” (Id. at p. 1070.) “ ‘The basic scheme of the [Confidentiality
Act], as amended in 1981, is that a provider of health care must not disclose medical
information without a written authorization from the patient.’ [Citation.]” (Ibid.) “It
follows that ‘in order to violate the [Confidentiality Act], a provider of health care must
make an unauthorized, unexcused disclosure of privileged medical information.’
[Citation.]” (Id. at p. 1071.)
No breach of confidentiality takes place until an unauthorized person views the
medical information. It is the medical information, not the physical record (whether in
electronic, paper, or other form), that is the focus of the Confidentiality Act. While there
is certainly a connection between the information and its physical form, possession of the
physical form without actually viewing the information does not offend the basic public
policy advanced by the Confidentiality Act. This is evident in section 56.101,
subdivision (a), which allows, in effect, abandoning or disposing of medical records “in a
manner that preserves the confidentiality of the information contained therein.”
Here, the plaintiffs argue that Sutter Health negligently stored the medical
information and that the negligent storage resulted in a change of possession of the
information to an unauthorized person. This change of possession increased the risk of a
confidentiality breach. But the Confidentiality Act does not provide for liability for
increasing the risk of a confidentiality breach. It provides for liability for failing to
“preserve[] the confidentiality” of the medical records. (§ 56.101, subd. (a).) There is no
allegation that Sutter Health’s actions with respect to the records on the stolen computer
11
did not preserve their confidentiality because there is no allegation that an unauthorized
person has viewed the records. Without an actual breach of confidentiality, the loss of
possession is not actionable under section 56.101.
The legislation at issue is the “Confidentiality of Medical Information Act,” not
the Possession of Medical Information Act. (§ 56.) While loss of possession may result
in breach of confidentiality, loss of possession does not necessarily result in a breach of
confidentiality. For that reason, a plaintiff must allege a breach of confidentiality, not
just a loss of possession, to state a cause of action for nominal or actual damages under
sections 56.101. (Accord, Regents, supra, 220 Cal.App.4th at p. 570, which arrives at the
same conclusion by a different analytical route.)
The second sentence of section 56.101, subdivision (a) does not change this
analysis. Although it does not repeat the language requiring the health care provider to
preserve the confidentiality of the medical information, it makes the health care provider
liable for negligence. “Any provider of health care . . . who negligently creates,
maintains, preserves, stores, abandons, destroys, or disposes of medical information shall
be subject to the remedies and penalties provided under subdivisions (b) and (c) of
Section 56.36.” (§ 56.101, subd. (a), italics added.) An essential element of negligence
is that the tortfeasor’s breach caused the injury protected against. (Federico v. Superior
Court (1997) 59 Cal.App.4th 1207, 1210-1211.) The duty is to preserve confidentiality,
and a breach of confidentiality is the injury protected against. Without an actual
confidentiality breach there is no injury and therefore no negligence under section
56.101. That the records have changed possession even in an unauthorized manner does
not mean they have been exposed to the view of an unauthorized person.
Interpreting section 56.101 to provide $1,000 in damages to every person whose
medical information came into the possession of an unauthorized person without that
person viewing the information would lead to unintended results. For example, if a thief
grabbed a computer containing medical information on four million patients, but the thief
12
destroyed the electronic records to reformat and wipe clean the hard drive and sell the
computer without ever viewing the information or even knowing it was on the hard drive,
the health care provider would still be liable, at least potentially, for $4 billion. For all
we know, that may have happened here. We cannot interpret a statute to require such an
unintended result. (City of Cotati v. Cashman (2002) 29 Cal.4th 69, 77 [statutes
interpreted to avoid unintended results]; Regents, supra, 220 Cal.App.4th at p. 570.)
Section 56.36
The plaintiffs assert that section 56.36 provides a remedy for violation of section
56.101. Since we conclude that Sutter Health did not violate section 56.101, there is no
occasion to look to section 56.36 for a remedy. In any event, section 56.36 provides
remedies when a health care provider has “negligently released confidential information
or records concerning [the plaintiff] in violation of this part . . . .” (§ 56.36, subd. (b),
italics added.) For the reasons given, there is no “negligent[] release[] . . . in violation of
[the Confidentiality Act],” if there is no actual breach of confidentiality. Because Sutter
Health has not negligently released information or records in violation of the
Confidentiality Act, there is no remedy.
The nominal damages provision of section 56.36, subdivision (b)(1) does not
change this analysis. It provides for $1,000 in nominal damages and adds: “In order to
recover under this paragraph, it shall not be necessary that the plaintiff suffered or was
threatened with actual damages.” (§ 56.36, subd. (b)(1).) No damages, not even nominal
damages, are available unless the injury protected against is suffered. (Buttram v.
Owens-Corning Fiberglas Corp. (1997) 16 Cal.4th 520, 535.) Once an actual breach of
confidentiality is established, the plaintiff in an action under the Confidentiality Act may
be entitled to $1,000 in nominal damages without establishing any pecuniary loss or
threat of pecuniary loss. But nominal damages are not available if the injury–the
confidentiality breach–has not occurred.
13
Conclusion
Because the plaintiffs have not alleged an actual breach of confidentiality, the trial
court should have sustained Sutter Health’s demurrer. We also conclude that the
demurrer must be sustained without leave to amend and the action must be dismissed
because the plaintiffs have not demonstrated, either in the trial court or on appeal, that
there is a reasonable possibility they can amend the complaint to allege an actual breach
of confidentiality. (Regents, supra, 220 Cal.App.4th at p. 570, fn. 15; Schultz v. Harney
(1994) 27 Cal.App.4th 1611, 1623.)
DISPOSITION
The petition is granted. Let a peremptory writ of mandate issue directing the
superior court to vacate its order overruling the petitioners’ demurrer and to enter a new
order sustaining the demurrer without leave to amend and dismissing the real parties in
interests’ action. The stay imposed when we issued the alternative writ is vacated. The
petitioners are awarded their costs in this writ proceeding. (Cal. Rules of Court, rule
8.936.)
NICHOLSON , Acting P.J.
We concur:
MAURO , J.
DUARTE , J.
14