[ Wednesday, July 23, 2014 ]
Sutter Health Data Breach Update: No proof of harm, no statutory damages.
Jeff [10:25 PM]
As you know, someone threw a brick through a plate glass door and stole a desktop (!) computer from a Sutter Health location. The desktop had protected health information on 4 million Sutter beneficiaries. The California Confidentiality of Medical Information Act contains a statutory damages amount of $1,000 per person, which implies a potential $4 BILLION fine for Sutter.
Not so fast. A circuit court in California has determined that, since there's no evidence the thief actually looked at the data (as opposed to acquiring and possessing it), there's no proof that the statute was violated. As the court said, it's called "the "Confidentiality of Medical Information Act,' not the 'Possession of Medical Information Act.'" Loss of peace of mind apparently isn't a damage.
While this is the second time the court threw out a claim of breach where loss was certain but actual viewing or use wasn't, I suspect nothing will be settled here until the California Supreme Court (and possibly the US Supreme Court) rules.
Blogger: HIPAA Blog - Edit your Template