Sutter Health v. Superior Court of Sacramento Cnty.

Decision Date01 January 2014
Docket NumberC072591
Citation174 Cal.Rptr.3d 653,227 Cal.App.4th 1546
CourtCalifornia Court of Appeals Court of Appeals
PartiesSUTTER HEALTH et al., Petitioners, v. The SUPERIOR COURT of Sacramento County, Respondent; Dorothy Atkins et al., Real Parties in Interest.

OPINION TEXT STARTS HERE

See 2 Witkin, Cal. Evidence (5th ed. 2012) Witnesses, § 538.

ORIGINAL PROCEEDING in mandate. Petition granted. David De Alba, Judge. (JCCP No. 4698)

Bartko, Zankel, Tarrant & Miller, Bartko, Zankel, Bunzel & Miller, San Francisco, Robert H. Bunzel, William I. Edlund, and Michael D. Abraham for Petitioners.

Crowell & Moring and Ethan P. Schulman, San Francisco, for the California Association of Health Plans and the Association of California Life and Health Insurance Companies as Amici Curiae on behalf of Petitioners.

Lois J. Richardson, Sacramento, for California Hospital Association as Amicus Curiae on behalf of Petitioners.

Munger, Tolles & Olson, Los Angeles, Bradley S. Phillips, Michelle A. Friedland, and Amelia L.B. Sargent for the Regents of the University of California as Amici Curiae on behalf of Petitioners.

Sedgwick, San Francisco, Stephanie Sheridan, Kelly Savage Day, and Alison Andre for Alere Home Monitoring, Inc., as Amici Curiae on behalf of Petitioners.

No appearance for Respondent.

Ahdoot & Wolfson, Los Angeles, Robert Ahdoot, Tina Wolfson, West Hollywood, Theodore W. Maya, Bradley King; Kershaw Cutter & Ratinoff, Sacramento, C. Brooks Cutter, William A. Kershaw, John R. Parker, Jr., Atlanta; Ram, Olson, Cereghino & Kopczynski, San Francisco, Michael F. Ram, Jeffrey B. Cereghino, Matt J. Malone; Dreyer Babich Buccola Wood Campora, Sacramento, Robert A. Buccola, Steven M. Campora; Audet & Partners, William M. Audet, San Francisco, Joshua C. Ezrin; Keller Grover, San Francisco, Eric A. Grover, Carey G. Been; Law Offices of Scot D. Bernstein, Mather Field, Scot Bernstein; Harris & Ruble, Los Angeles, Alan Harris, Abigail A. Treanor, Priya Mohan, Los Angeles; The Law Office of Darryl A. Stallworth, Oakland, Darryl A. Stallworth; Clayeo C. Arnold, Sacramento, Clifford L. Carter, Kirk J. Wolden, Clayeo C. Arnold, Sacramento; Meiselman, Denlea, Packman, Carton & Ebertz, James R. Denlea, Jeffrey I. Carton, Jeremiah Frei–Pearson; Trial Law Offices of Bradley I. Kramer, M.D., Beverly Hills, Bradley I. Kramer; Mastagni, Holstedt, Amick, Miller & Johnsen, Sacramento, David P. Mastagni, and David E. Mastagni for Real Parties in Interest.

Kabateck Brown Kellner, Los Angeles, Brian S. Kabateck, Richard L. Kellner, and Scott M. Malzahn for Consumer Attorneys of California, Consumer Federation of California, Consumer Action, Privacy Rights Clearinghouse, Privacy Activism, California Alliance for Retired Americans, and California Advocates for Nursing Home Reform as Amici Curiae on behalf of Real Parties in Interest.

NICHOLSON, Acting P.J.

The Confidentiality of Medical Information Act, which we refer to in this opinion as the Confidentiality Act, protects the confidentiality of patients' medical information. (Civ. Code, § 56 et seq.; all remaining code citations, though unspecified, are to the Civil Code.) Among other remedies, the Confidentiality Act provides for an award of $1,000 in nominal damages to a patient if the health care provider negligently releases medical information or records in violation of the Confidentiality Act. (§ 56.36, subd. (b)(1).)

In this case, a thief stole a health care provider's computer containing medical records of about four million patients. The plaintiffs filed an action under the Confidentiality Act, seeking to represent, in a class action, all of the patients whose records were stolen, with a potential award of about $4 billion against the health care provider. The health care provider demurred to the complaint and moved to strike the class allegations, but the trial court overruled the demurrer and denied the motion to strike. On the petition of the health care provider, we issued an alternative writ of mandate to review the trial court's rulings.

We conclude that the plaintiffs have failed to state a cause of action under the Confidentiality Act because they do not allege that the stolen medical information was actually viewed by an unauthorized person. We therefore grant the health care provider's petition for a peremptory writ of mandate and direct the trial court to sustain the health care provider's demurrer without leave to amend and dismiss the action.

The parties also argue other questions such as whether a class action is proper under these circumstances and whether a potential award of about $4 billion in nominal damages would violate the health care provider's due process rights. We do not reach these questions because our conclusion that the plaintiffs have not stated a cause of action for violation of the Confidentiality Act resolves the petition for relief.

BACKGROUND

The real parties in interest (the plaintiffs) allege that the petitioners (Sutter Health and several other defendants, which we refer to in this opinion simply as Sutter Health because there is no reason to differentiate) violated sections 56.10 and 56.101 of the Confidentiality Act, which invoked the remedy provision of 56.36. The relevant parts of those statutes provide as follows:

“A provider of health care ... shall not disclose medical information regarding a patient of the provider of health care ... without first obtaining an authorization, except as provided in subdivision (b) or (c).” (§ 56.10, subd. (a).) Subdivisions (b) and (c) list circumstances under which the health care provider must or may disclose records. None of those circumstances is relevant to this action.

“Every provider of health care ... who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care ... who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).)

“In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: [¶] (1) ... nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. [¶] (2) The amount of actual damages, if any, sustained by the patient.” (§ 56.36, subd. (b).)

These proceedings are based on the well-pleaded facts alleged in the plaintiffs' complaint. (Brown v. Mortensen (2011) 51 Cal.4th 1052, 1057, fn. 1, 126 Cal.Rptr.3d 428, 253 P.3d 522 (Brown ).)

Sutter Health maintained medical records concerning the plaintiffs. In October 2011, someone broke into an office of Sutter Health and stole a desktop computer. The medical records of more than four million patients were stored on the computer's hard drive in password-protected but unencrypted format, and the office from which the computer was taken did not have a security alarm or security cameras.

In November 2011, Sutter Health publicly announced that the medical records had been stolen. Soon after the announcement, the plaintiffs began filing individual complaints alleging violation of the Confidentiality Act. Those actions were coordinated, and a master complaint was filed.

The complaint does not allege that any unauthorized person has actually viewed the stolen records from the password-protected but unencrypted hard drive. Instead, the complaint alleges: Plaintiffs are informed and believe that potential misuses of personal medical information may not manifest itself for numerous years, and furthermore that credit monitoring services survey only a small segment of such potential misuses.”

The plaintiffs model their complaint as a class action, seeking to represent [a]ll persons residing in the State of California whose ‘medical information’ ... was present on a computer stolen [in October 2011] from [Sutter Health].” (Italics omitted.) The complaint alleges that Sutter Health violated sections 56.10 and 56.101 of the Confidentiality Act and seeks an award of $1,000 in nominal damages for each class member under section 56.36, subdivision (b)(1). Because the complaint alleges that Sutter Health violated the Confidentiality Act with respect to about four million patients and seeks $1,000 per patient, the complaint potentially seeks about $4 billion in nominal damages.

Sutter Health filed a demurrer to the complaint. It argued, among other things, that the complaint does not state a cause of action under the Confidentiality Act because it does not allege that any unauthorized person has viewed the stolen medical information. Sutter Health also filed a motion to strike the class allegations in the complaint because, among other things, the Confidentiality Act allows individual actions only.

The trial court overruled the demurrer. It held that the complaint sufficiently pleaded a cause of action for breach of the Confidentiality Act without alleging that an unauthorized person had viewed the medical information.

The court also denied the motion to strike. It did not reach the merits of whether the Confidentiality Act allows a class action. Instead, it ruled that the question would more appropriately be addressed in class certification proceedings, which had not yet taken place. (The court struck a prayer for injunctive and equitable relief in the complaint, but that part of the ruling is not at issue in these proceedings.)

Sutter Health filed a petition for writ of mandate, and we issued an alternative writ.1

DISCUSSION

The plaintiffs failed to state of cause of action under the Confidentiality Act because they failed to allege...

To continue reading

Request your trial
14 cases
  • Stasi v. Inmediata Health Grp. Corp.
    • United States
    • U.S. District Court — Southern District of California
    • November 19, 2020
    ...communicative act" by the defendant, which does not occur if the information is stolen. Sutter Health v. Superior Court , 227 Cal. App. 4th 1546, 1556, 174 Cal.Rptr.3d 653 (2014) ; see also Regents of Univ. of Cal. v. Superior Court , 220 Cal. App. 4th 549, 564, 163 Cal.Rptr.3d 205 (2013) (......
  • De Vries v. Regents of the Univ. of Cal.
    • United States
    • California Court of Appeals Court of Appeals
    • December 9, 2016
    ...the same subject must be harmonized, both internally and with each other, to the extent possible"]; Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 1555, 174 Cal.Rptr.3d 653 [looking to "the context and ordinary meaning" of a term "not defined in the statute"].) Section 1621 is......
  • Vigil v. Muir Med. Grp. Ipa, Inc.
    • United States
    • California Court of Appeals Court of Appeals
    • September 26, 2022
    ...of his or her medical information had been breached by an unauthorized party, as required by Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 174 Cal.Rptr.3d 653 ( Sutter Health ), and therefore that common issues would not predominate.Vigil appeals, asserting that the trial cou......
  • In re Premera Blue Cross Customer Data Sec. Breach Litig.
    • United States
    • U.S. District Court — District of Oregon
    • August 1, 2016
    ...a threshold matter that an "unauthorized person has actually viewed the [plaintiff's] stolen records[.]" Sutter Health v. Superior Court , 174 Cal.Rptr.3d 653, 656 (Cal.Ct.App.2014) ; see also Regents of Univ. of California v. Superior Court , 163 Cal.Rptr.3d 205, 221 (Cal.Ct.App.2013) (sam......
  • Request a trial to view additional results
1 firm's commentaries
3 books & journal articles

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT