A computer hard drive containing private medical information for 16,000 patients at UCLA was stolen. One of the patients filed a class action lawsuit seeking $1,000 per patient ($16 million total) in statutory damages against the UC Regents. Although the plaintiff pled that the UC system negligent stored the patient data the plaintiff did not plead that any third party had actually viewed the confidential data. The question posed to the trial court and again on appeal was whether a claim for statutory damages could proceed absent pleading and proof of actual disclosure. The trial court ruled for the plaintiff and overruled the UC Regents’ demurrer.
The Court of Appeal reversed and granted a writ petition by the UC Regents today. In an opinion authored by Presiding Justice Dennis Perluss Division Seven of the Second District Court of Appeal, ruled that an action for statutory damages under California’s Confidentiality of Medical Information Act requires proof of actual disclosure of the data to a third party. Mere negligent storage of the information alone is insufficient. You can read the decision in Regents of University of California v. Superior Court (Platter) (Oct. 15, 2013 B249148) here.
Given that the thief in this case and similar cases is not likely ever to admit to viewing the data, it is difficult to imagine a scenario where stolen data will result in statutory damages in the future unless the thief is caught and confesses.