The second appellate district Court of Appeals in California ruled in favor of UCLA Health this week, after a patient sued the provider for damages based on a breach that leaked the protected health information (PHI) of approximately 16,000 patients. The ruling could have a positive affect on all healthcare providers, one industry association says.
The court ruled that in order for a patient to receive statutory damages based on negligent storage or maintenance of confidential medical information, the unauthorized person must have actually viewed the information. In this case, a laptop was stolen in a home invasion robbery of a UCLA physician. The laptop had encrypted information on 16,000 patients, and the encryption key was also stolen. However, there was no evidence that any third party illegally accessed the information, so the court ruled in favor of UCLA Health.
The plaintiff, Melinda Platter, said in the lawsuit that UCLA Health was in violation of the California Confidentiality of Medicine Act. She sought $16 million in damages. The California Hospital Association, which petitioned on behalf of UCLA Health, said the ruling was "good news for hospitals and other healthcare providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information."