UCLA Health dodges $16 million breach claim

In a ruling that seems to run counter to HIPAA, a California appellate court has ruled that providers aren't necessarily liable to patients when medical records are stolen or misappropriated unless they are accessed by a third party.

Patient Melinda Platter had sought damages from the University of California after a laptop was stolen in a 2011 home invasion robbery of a UCLA Health physician. The laptop was encrypted, according to federal and state requirements, but an index card containing the access password also was stolen. However, there was no evidence that the data was ever accessed.

The state's Confidentiality of Medical Information Act provides for a fine of $1,000 for each patient record breached. With 16,000 patient records on the laptop, the fine could have totaled $16 million. Instead, the appeals court ruled that the suit be dismissed.

"The decision is good news for hospitals and other healthcare providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information," the California Hospital Association said in blog post.

Forty percent of large data breaches involve laptop or storage devices that are lost or stolen, according to the U.S. Department of Health & Human Services. As health data breaches proliferate, however, lawyers are changing tactics beyond trying to show that exposure of patients' personal information led to financial harm.

Downers Grove, Ill.-based Advocate Medical Group faces a class-action lawsuit by patients--in addition to state and federal investigations--after personal information for more than 4 million patients was compromised in the July theft of four computers. That lawsuit claims it failed to use encryption and other security practices.

It was the second-largest loss of unsecured health information reported to HHS since the agency made notification mandatory in 2009.

To learn more:
- read the ruling (.pdf)
- find the blog post

Suggested Articles

The COVID-19 pandemic is driving enormous demand for virtual mental health care services. Here is how much utilization has increased during COVID-19.

Ambulatory EHR provider NextGen Healthcare saw its quarterly revenue grew 4% to $140 million and earnings topped Wall Street projections.

Blue Cross NC is launching two new digital programs targeting smoking cessation and Type 2 diabetes management next month at no cost to members.