In two landmark cases, two of California’s largest and most prestigious healthcare providers, Eisenhower Medical Center and Sutter Health, have fended off law suits following security data breaches that could have cost in aggregate billions of dollars, according to a release statement from¬†Beazley Insurance Services.¬†
In the first case, a $500 million class action suit against Eisenhower Medical Center, the California Court of Appeal ruled that healthcare providers are not liable under the state’s Confidentiality of Medical Information Act (CMIA) for the release of patients’ personal information if it does not include information about medical histories, conditions or treatments.
In similar vein, the California Supreme Court declined on October 15, 2014 to hear an appeal against two lower court decisions that had found that Sutter Health was not liable under the CMIA for damages of up to $1000 per individual for a data breach involving the theft of a desktop computer relating to more than four million patients.
“These decisions set a powerful precedent on damages that can be awarded in the event of data breaches,” said Beth Diamond, claims team leader for Beazley’s technology, media and business service focus group. “While healthcare providers have a clear duty to protect patient information, they should not be subject to opportunistic damages claims. We applaud the courts’ decisions in establishing firm boundaries on liability.”
Michael Appelhans, General Counsel at Eisenhower Medical Center, added: “We strongly believed this suit lacked merit and, with staunch support from our insurer Beazley, we were able to fight the case successfully. A court award on the scale sought by the plaintiffs would have set a disastrous precedent for healthcare providers in our state.”
Data breaches remain a daily occurrence in the US healthcare market as a whole. Since 2009 it has been a federal requirement that large healthcare breaches affecting 500 or more patient records be reported to the Secretary of Health and Human Services: to date breaches accounting for more than 38 million patient records have been reported in this way.
“Despite these rulings, lawsuits targeting companies that have experienced a data breach are not going away anytime soon,” said Ted Kobus, National Co-Leader on Privacy and Data Protection at BakerHostetler, the law firm that represented Eisenhower Medical Center. “We expect to see further efforts by the plaintiffs’ bar to develop innovative theories of liability that will present additional risks to affected organizations in the wake of a data breach.”
A full transcript of Eisenhower Medical Center v The Superior Court of Riverside County can be found here. A full transcript of Sutter Health et al v The Superior Court of Sacramento County can be found here.