UCLA Health dodges $16 million breach claim

In a ruling that seems to run counter to HIPAA, a California appellate court has ruled that providers aren't necessarily liable to patients when medical records are stolen or misappropriated unless they are accessed by a third party.

Patient Melinda Platter had sought damages from the University of California after a laptop was stolen in a 2011 home invasion robbery of a UCLA Health physician. The laptop was encrypted, according to federal and state requirements, but an index card containing the access password also was stolen. However, there was no evidence that the data was ever accessed.

The state's Confidentiality of Medical Information Act provides for a fine of $1,000 for each patient record breached. With 16,000 patient records on the laptop, the fine could have totaled $16 million. Instead, the appeals court ruled that the suit be dismissed.

"The decision is good news for hospitals and other healthcare providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information," the California Hospital Association said in blog post.

Forty percent of large data breaches involve laptop or storage devices that are lost or stolen, according to the U.S. Department of Health & Human Services. As health data breaches proliferate, however, lawyers are changing tactics beyond trying to show that exposure of patients' personal information led to financial harm.

Downers Grove, Ill.-based Advocate Medical Group faces a class-action lawsuit by patients--in addition to state and federal investigations--after personal information for more than 4 million patients was compromised in the July theft of four computers. That lawsuit claims it failed to use encryption and other security practices.

It was the second-largest loss of unsecured health information reported to HHS since the agency made notification mandatory in 2009.

To learn more:
- read the ruling (.pdf)
- find the blog post

Suggested Articles

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.

An FDA official said the agency is in discussions with multiple stakeholders to create a universal unique medical device identifier to be stored in EHRs.