(dissenting). Patients, who have little say in the matter, disclose their personal information to medical corporations trusting that it will be kept private. In answering the certified question in the negative, the majority limits a patient’s *486remedy even in cases where a corporation has failed in its duty to protect confidential information. I believe that a medical corporation’s duty extends beyond an employee’s conduct within the scope of employment, and I would answer the certified question in the affirmative.
The majority’s narrow conception of a medical corporation’s duty undermines New York’s public policy to protect the confidentiality of patients’ medical records (see Public Health Law § 2803-c [1], [3] [f]). The ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality. A cause of action directly against a medical corporation, unhampered by questions as to whether an employee’s conduct occurred within the scope of employment, ensures the fullest protections for patients and best addresses the current realities of medical service delivery.
Comprehensive medical records are crucial to ensuring proper medical care. Medical providers, including corporate medical providers, require private medical data from patients to ensure proper treatment. A patient reveals personal data for purposes of receiving medical services, with the understanding that the patient retains a right to confidentiality in such information. Technological advances have made it possible to collect and house patient data in ways easily accessible to a patient’s doctor and other health care provider staff. Computers and cellular devices have transformed medical record keeping and health care service provision, making access to such data fast and easy. While such access surely benefits both the patient and the provider, it also increases the potential for instantaneous and extensive unauthorized disclosure of confidential patient information by a range of staff personnel. Societal interest in maintaining patient privacy in medical records is served through a robust tort system, responsive to the realities of the ease of disclosure.
In some circumstances, we have limited a medical corporation’s liability for the negligence of its employees under a theory of respondeat superior (see e.g. N.X. v Cabrini Med. Ctr., 97 NY2d 247, 251-252 [2002]; Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 933-934 [1999]; Hill v St. Clare’s Hosp., 67 NY2d 72, 79 [1986]; Suarez v Bakalchuk, 66 AD3d 419, 419 [1st Dept 2009]; Doe v Westfall Health Care Ctr., 303 AD2d 102, 110 [4th Dept 2002]; see also majority op at 484). Respondeat superior is a theory of vicarious liability that originally developed under *487the assumption that a master could control the conduct of an agent (see Mott v Consumers’ Ice Co., 73 NY 543, 546-547 [1878]; Restatement [Second] of Agency § 219, Comment a). The modern theory of respondeat superior gives the injured plaintiff a means to recover a remedy from well-insured employers and provides incentives for employers to hire careful employees (see Riviello v Waldron, 47 NY2d 297, 302 [1979]; Restatement [Third] of Agency § 2.04, Comment a). Nonetheless, the law limits the employer’s liability to acts “done while the servant was doing his master’s work, no matter how irregularly, or with what disregard of instructions”: acts done within the scope of employment (Riviello, 47 NY2d at 302 [citations omitted]). This limitation relieves an employer from liability for an employee’s torts when the employer neither benefits from the tortious conduct nor has the means to control the employee’s behavior.
Such limitations have no place in a negligence action against a medical corporation for disclosure of confidential medical records. As the majority notes, it is the medical corporation itself, not merely its employees, which owes the duty of confidentiality to the patient (see majority op at 485). New York’s public policy would be furthered by permitting a cause of action for breach of medical confidentiality, even in cases where an employee has acted outside the scope of employment, because patients must reveal medical data in order to obtain care from the medical corporation and the patient has no way of protecting against its unauthorized disclosure or means of controlling who has access to it.*
Our decision in N.X. v Cabrini Med. Ctr. (97 NY2d 247 [2002]) recognized that a hospital owes a duty to keep patients safe, even from third parties and employees acting outside the scope of employment. In that case, a surgical resident sexually assaulted the plaintiff (id. at 249). We held that the hospital could not be held vicariously liable for the resident’s wrongdoing *488because he was acting outside the scope of his employment (id. at 251-252). However, that did not end the inquiry. We also held that “[a] hospital has a duty to safeguard the welfare of its patients, even from harm inflicted by third persons, measured by the capacity of the patient to provide for his or her own safety” (id. at 252) and limited “by those risks which are reasonably foreseeable” (id. at 253). In Cabrini, the hospital had an independent duty to prevent the employee who acted outside the scope of his employment from harming the plaintiff. Thus, the hospital could be liable for the breach of its duty through the inaction of its nursing staff in the face of obvious risks (see id. at 253-254). When a patient lays helpless in a hospital bed, entrusting his or her care to the hospital, the hospital has an independent duty to ensure his or her safety.
Similarly, a patient entrusts private medical information to the care of the medical corporation and its employees, over whom the patient has no control. The patient’s only surefire means to prevent accidental disclosure would be to forgo turning over the confidential information in the first place. This is not a realistic option because a patient cannot expect delivery of medical services without disclosing such data. Indeed, the medical profession encourages full disclosure by the patient of a comprehensive medical history (see AMA Code of Med Ethics Op 10.02 [2]). In order to receive treatment, a patient must reveal personal information; a patient withholds such data at his or her peril. Having turned over private information to ensure proper and adequate treatment, the patient is at the mercy of the medical corporation’s ability to protect its confidentiality. A hospital should owe a duty to keep a patient’s health information confidential, and a hospital should be directly liable for its own failure to prevent breaches of confidentiality by employees who act outside the scope of their employment.
In order to protect the patient’s privacy interests given the competing need to disclose, such a cause of action would provide a powerful incentive to medical corporations to implement protections against disclosures. Given the highly personal nature of medical data at risk of disclosure, the harm associated with dissemination of such sensitive private information, the ease with which employees of a medical corporation may access confidential data and disseminate it through the use of a commonly held and inexpensive device, a cellular telephone, and the inability of patients to protect themselves from employee *489misconduct, such an incentive furthers the State’s public policy in protecting the confidentiality of medical records.
The certified question should be answered in the affirmative.
Chief Judge Lippman and Judges Graffeo, Read, Smith and Abdus-Salaam concur with Judge Pigott; Judge Rivera dissents and votes to answer the certified question in the affirmative in an opinion.Following certification of a question by the United States Court of Appeals for the Second Circuit and acceptance of the question by this Court pursuant to section 500.27 of this Court’s Rules of Practice, and after hearing argument by counsel for the parties and consideration of the briefs and record submitted, certified question answered in the negative.
The majority believes that claims based on vicarious liability and sounding in negligence limited to conduct within the scope of employment provide sufficient relief for a patient whose private information is wrongfully disclosed (majority op at 485). As the instant case well illustrates, those causes of action alone are inadequate to remedy a breach of the duty to maintain the confidentiality of personal data, and they provide cold comfort to a patient whose personal data is disclosed due to the status of the employee and regardless of the actions of the employer that facilitated disclosure. Our legal system must be responsive to a health care service system with its attendant comprehensive data collection, supported by technological advances that are vulnerable to access.