Recent court rulings could provide cover when computers with patient data are stolen
July decisions by courts in California and Illinois place limits on patient class-action suits when thieves steal computers containing protected personal health data.
Illinois Kane County and Lake County Circuit Court judges, as well as a California state appeals court have each dismissed privacy cases against major health systems because lawyers for the patients impacted failed to show that the data on the stolen computers had been accessed by the thieves and that the patients suffered any damages as a result of the thefts.
In the Illinois cases, Advocate Health and Hospitals Corp. based in Downers Grove, Illinois, faced two class-action suits stemming from the theft a year ago of four laptop computers from the Advocate Medical Group administrative office in the Chicago suburb of Park Ridge. The computers contained records on 4,029,530 patients, according to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights. The computers were password protected but not encrypted. The thieves were never caught, but because credit monitoring of the affected patients did not turn up unusual fraudulent activity after the theft, it appeared unlikely that the thieves knew the value of the data contained on the computers or how to access it. Both the Kane and Lake county judges ruled that absent any evidence of the affected individuals having been harmed by the theft of the computers, Advocate Health and Hospital Corp. did not have to compensate the patients for having lost the data.
Advocate still faces additional class-action suits stemming from the theft, but so far has been able to get relief from the courts because of the lack of evidence that the data on the stolen computers was ever accessed or used.
Similarly, in California, the three justices of the state’s 3rd District Court of Appeal found that for patients to successfully sue for compensation under the confidentiality statute, they need to present proof that the stolen data was actually accessed by an unauthorized person or persons. The case involved a class action against Sutter Health over the October 2011 theft of a computer from a Sutter Medical Foundation office.
“It is the medical information, not the physical record (whether in electronic, paper, or other forms), that is the focus of the Confidentiality Act,” the appellate opinion stated. The judges also found that holding a medical provider accountable in a case where the information may never have been accessed could have unintended consequences because the individual damage award – in this case $1,000 per patient – easily multiplies into the billions if, as in this case, around 4 million records are contained on the computer.
“If a thief grabbed a computer containing medical information on 4 million patients, but the thief destroyed the electronic records to reformat and wipe clean the hard drive and sell the computer without ever viewing the information or even knowing it was on the hard drive, the health care provider would still be liable, at least potentially, for $4 billion. For all we know, that may have happened here,” the opinion states.
Providers are still subject to fines from the government when poor security measures lead to thefts. However, making patients prove that their information was actually accessed by computer thieves is a favorable development for healthcare providers in cases of computer theft.