California Court of Appeal Rules Breach Claims Against UCLA Must Be Dismissed

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Oct. 17 --California's Confidentiality of Medical Information Act permits a private right of action for statutory damages for the negligent maintenance of medical information only in cases where the negligence leads to unauthorized or wrongful access by a third party, the California Court of Appeal, Second Appellate District, held Oct. 15 (Regents of the Univ. of Cal. v. Superior Court of Los Angeles County, 2013 BL 284796, Cal. Ct. App., No. B249148, 10/15/13).

Plaintiff Melinda Platter sued the Regents of the University of California on behalf of a proposed class following a 2011 data breach at the UCLA Health System.

In November 2011, the Regents advised more than 16,000 patients treated at the hospital's facilities that an encrypted hard drive containing their confidential medical information--along with an index card containing the password for the encrypted information--had been stolen during a robbery at a physician's home.

Platter claimed that the Regents violated the CMIA, Cal. Civ. Code §§ 56-56.37, by failing to exercise due care to prevent the release of her and other proposed class members' confidential medical information. Although she did not allege that she had suffered actual damages, she sought statutory damages of $1,000 for herself and each proposed class member under the act.

In April 2013, the Superior Court of California for the County of Los Angeles overruled the Regents' demurrer, concluding that Platter had stated a claim for a violation of the CMIA because the Regents' lack of reasonable controls and systems led to the negligent loss of possession of the hard drive and password. However, it also dismissed a portion of her CMIA claim because she failed to allege that the Regents affirmatively disclosed her confidential information.

The Regents petitioned the court of appeal for a writ of mandate directing the lower court to vacate its order overruling the demurrer. The court of appeal granted the petition and directed the superior court to vacate its order and enter a new order sustaining the demurrer without leave to amend.

Must Plead Release of Information

The CMIA, at Section 56.10(a), generally prohibits health care providers, health care service plans and contractors from disclosing a patient's medical information without first obtaining his or her authorization.

Section 56.36(b) allows “any individual” to “bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part” for nominal damages of $1,000 and actual damages, if any. Section 56.36(c) allows for administrative fines and civil penalties for disclosures or uses of information in violation of the CMIA.

Under Section 56.101(a), “any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.”

The superior court concluded that Section 56.101 does not require a negligent release of confidential information in order for a claimant to be eligible for nominal damages under Section 56.36(b).

The court of appeal said the lower court interpreted Section 56.101 too narrowly. “By incorporating the entire subdivision (b) 'remedy,' and not simply the measure of damages described in subdivision (b)(1) and (2), the Legislature plainly intended an action predicated on a health care provider's negligent maintenance of confidential information in violation of section 56.101 also plead and prove a release of that information,” the appellate court said.

The court said an earlier version of the bill that added those sections to the CMIA did not contemplate a “separate, stand-alone private cause of action for violation of section 56.101.” That version of Section 56.101 stated that health care providers “shall be subject to the provisions of this part,” or the CMIA's provisions, the court explained.

No Affirmative Act Necessary

Although a private cause of action for nominal damages based on the negligent storage or maintenance of confidential medical information requires pleading and proof of a release of information, such an action does not require proof of “an affirmative communicative act by the health care provider,” the court of appeal concluded.

The term “release” used in Section 56.36(b) is not synonymous with the term “disclose” in Section 56.10(a), the court said. The term “release” is broader than “disclose,” it explained. While “disclose” is an active verb, the definition of “release” includes acts that are not affirmative, such as “allowing to spread” and “enabling to escape,” the court said.

“Thus, under the usual and ordinary meaning of the statutory language, a health care provider who has negligently maintained confidential medical information and thereby allowed it to be accessed by an unauthorized third person--that is, permitted it to escape or spread from its normal place of storage--may have negligently released the information within the meaning of CMIA,” the court held.

The court, however, found that Platter's complaint failed to state sufficient facts to support a cause of action for statutory damages under the CMIA. She failed to allege that her medical information was breached as a result of the Regents' negligence, the court said, directing the superior court to dismiss her action.

“Even under the broad interpretation of 'release' we believe the Legislature intended in section 56.36, subdivision (b), as incorporated into section 56.101, more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information,” the court said.

Charles F. Robinson, Karen J. Petrulakis and Margaret L. Wu, of the University of California's Office of General Counsel, and Bradley S. Phillips, of Munger Tolles & Olson LLP, in Los Angeles, as well as Michelle T. Friedland of the firm's San Francisco office, represented the Regents. Brian S. Kabeteck and Richard L. Keller, of Kabateck Brown Kellner LLP, in Los Angeles; and Don A. Ernst and Taylor Ernst, of Ernst Law Group, in San Luis Obispo, Calif., represented Platter.

Full text of the court's opinion is available at

Request Bloomberg Law: Privacy & Data Security