California Court Rejects Private Cause of Action for Stolen Medical Data Without Proof of Harm
Drug and Device Blog reports on a California Court of Appeal decision in which an intermediate appellate panel held that the California Confidentiality of Medical Information Act does not allow for plaintiffs to sue over the negligent maintenance of their confidential medical information unless their information was accessed wrongfully or without authorization.
In the underlying case, a doctor took home a hard drive containing the personal health information for 16,000 patients. The hard drive, as well as the encryption passcodes, were stolen, but no one knows if the thief viewed or tried to view the patients' personal health information.
Drug and Device Blog said the case has "broad appeal because the fact pattern is so typical of 'data security breach' lawsuits: Private information resides on a stolen hard drive or is sent off into the ether with nary an indication that anyone received, reviewed, used, or otherwise paid any attention to the information. At another level, such lawsuits (which are usually class actions) almost never articulate any credible basis that the plaintiffs suffered any actual harm."