Last year, I discussed the phenomenon of a big dollar class action suit seeking almost a billion dollars in statutory damages arising out of a healthcare data breach.#_ftn1 A break-in at Sutter Health occurred at its administrative offices in October 2011, in which burglars stole a desktop computer containing unencrypted electronic medical records on a large number of patients. On the date Sutter Health announced the breach, November 16, 2011, the first of over two dozen class actions were filed.
Five days later, attorneys filed Karen Pardieck v. Sutter Health, No. 34-2011-00114396, in the Sacramento County Superior Court. The complaint alleged the compromise of 944,000 patients’ records. The complaint sought statutory nominal damages of $1000 per patient, or $944 million in total – almost a billion dollars.
California’s Confidentiality of Medical Information Act (CMIA) prohibits healthcare entities from disclosing medical information without authorization, subject to certain exceptions. To redress CMIA violations, an individual can recover $1000 in nominal damages in a civil action against a healthcare entity. Cal. Civil Code to § 56.36(b)(1). Plaintiffs like Pardieck are using this statute to allege a cause of action to recover for a data security breach.
The California legislature, however, enacted AB 439 last year to cut back on big dollar privacy breach cases, although I believe its effect will be limited. AB 439 applies to suits filed on or after January 1, 2013. It creates an affirmative defense for healthcare entities that otherwise would be liable for nominal damages under CMIA. To assert the defense, a defendant must prove:
- The defendant is a HIPAA covered entity or business associate.
- The defendant has complied with applicable breach notification requirements.
- The unauthorized release was solely to another covered entity or business associate.
- The release was not an incident of medical identity theft.
- The defendant had taken preventative action to protect the records consistent with the HIPAA Security Rule.
- The defendant took reasonable and appropriate corrective action after the release, and the healthcare entity that received the information destroyed or returned the information promptly (or could not have done so because of its technology environment).
- The receiving entity did not retain, use, or release the information.
- The defendant took reasonable and appropriate action to prevent future similar incidents.
- The defendant has not used this affirmative defense mechanism before, or if it has, the defendant convinces the court, in its discretion, that application of the defense is compelling and consistent with the promotion of reasonable conduct in light of all the facts.
Id. § 56.36(e)(2).
AB 439’s defense, however, has significant limitations.
- Establishing the defense means that the defendant cannot be liable for more than one judgment on the merits arising out of a single event, transaction, or occurrence, but the defendant would be liable for the first judgment.
- AB 439 does not address class actions. Its limitation is on multiple judgments, not multiple claimants. Thus, the first judgment could be in a class action and could entail substantial nominal damages when calculated over a large number of class members covered by the judgment.
- AB 439 may encourage a race to the courthouse for plaintiffs seeking to get to judgment first, thereby increasing the number of suits arising out of a single incident and increasing up front defense costs.
- Even in suits in which the defense eliminates liability, plaintiffs can still recover attorneys’ fees and costs.
- Most importantly, AB 439 applies to only a limited set of breaches—ones in which the party gaining unauthorized or inadvertent access to medical information is itself a covered entity or business associate. This limitation means that for breaches like the one at Sutter Health, in which a criminal stole the information, the affirmative defense would not apply.
Given the above limitations, my guess is that not too many healthcare entities would obtain relief under AB 439 from large privacy data breach cases. Nonetheless, defense counsel should add AB 439 to the checklist of items to consider when analyzing the legal posture of a healthcare entity client experiencing a data breach. Moreover, AB 439 provides some incentive to work with a party receiving unauthorized access to information to obtain its destruction or return.
Partner, Cooke Kobrick & Wu LLP