State Supreme Court Limits Liability for Medical Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.allgov.com/usa/ca/news/top-stories/state-supreme-court-limits-liability-for-medical-data-breaches-141021?news=854589

If a tree falls unseen in the forest, has it truly fallen? If the
unencrypted medical records of 4 million people vanish with a stolen
desktop computer, has there really been a security breach?

A Sacramento County Superior Court said yes, but a state appellate court
said no and last week the California Supreme Court issued a one-line
statement that it would not get involved. The appellate court ruled that
victims of the data loss did not have a claim for damages because they
could not prove that the data was looked at by the thief.

The alleged security breach occurred on October 17, 2011, when a laptop was
swiped from Sutter Medical Foundation. It contained data on 943,000
patients and another 3.3 million records of other health care providers for
whom the foundation provides billing and managed care services.

It is a not-unfamiliar story. Medical records are hot commodities on the
black market. They can be used for insurance fraud as well as the standard
bank and credit card fraud associated with identity theft. The U.S.
Department of Health and Human Services (HHS) lists 19 breaches of health
privacy information, affecting at least 500 patients each, in California
this year.

They occurred via desktop computer, laptop, other portable electronic
devices, e-mail and paper. Three of the breaches involved more than 3
million patients each. Often, the data was unencrypted and the security lax.

After the Sutter breach, plaintiffs sought court permission to bring a
lawsuit on behalf of all the patients whose records were stolen. The
plaintiffs argued that the state Confidentiality of Medical Information Act
(pdf) protects patients when a health care provider negligently releases
medical information it shouldn't. In addition to not encrypting the
information, the Sutter office lacked a security alarm or cameras.

The statute reads: “Any provider of health care . . . who negligently
creates, maintains, preserves, stores, abandons, destroys, or disposes of
medical information shall be subject to the remedies and penalties.”

The plaintiffs argued that the damage done may not be known for years. They
sought $1,000 from Sutter for each patient, as prescribed by the law, for a
total of $4 billion.

Sutter said unless there was proof that the files had been read, there had
been no breach of confidentiality. The court agreed and offered this
example. “If a thief grabbed a computer containing medical information on
four million patients, but the thief destroyed the electronic records to
reformat and wipe clean the hard drive and sell the computer without ever
viewing the information or even knowing it was on the hard drive, the
health care provider would still be liable, at least potentially, for $4
billion. For all we know, that may have happened here.”

It may have. But that wouldn't have precluded the court from finding there
had been a breach of confidentiality when the data was stolen, and reducing
the damages because of mitigating circumstances; i.e. the data had been
destroyed.

The three-judge appellate court unanimously decided there had been no
breach and the Supreme Court did not disagree.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!