Sutter Health v. Superior Court
174 Cal. Rptr. 3d 653
Cal. Ct. App.2014Background
- Sutter Health’s office was burglarized; a computer with unencrypted medical records for about four million patients was stolen.
- The computer’s hard drive was password-protected; the office lacked security alarm and cameras.
- Plaintiffs filed a class action alleging violations of Confidentiality Act §§56.10, 56.101, seeking $1,000 nominal damages per patient (potentially ~$4 billion).
- Plaintiff actions were coordinated; a master complaint was filed against Sutter Health.
- The complaint did not allege that any unauthorized person viewed the stolen records.
- Trial court overruled Sutter Health’s demurrer and denied the motion to strike class allegations; petition for writ of mandate issued.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether breach requires actual viewing of records | Plaintiffs claim negligence of storage breaches confidentiality regardless of viewing. | Sutter Health argues no breach without unauthorized viewing. | No breach without actual viewing; demurrer should be sustained. |
| Whether §56.10 disclosures require affirmative disclosure to unauthorized parties | Loss of possession harms confidentiality regardless of disclosure. | Disclosure requires affirmative sharing; theft does not constitute disclosure. | Disclosures require affirmative act; not satisfied here. |
| Whether §56.101 imposes liability without actual breach when records are merely lost or possessed by unauthorized person | Negligent preservation triggers liability under §56.101. | Liability requires breach of confidentiality, not mere loss of possession. | Liability requires an actual confidentiality breach. |
| Whether nominal damages under §56.36(b)(1) are available without proof of breach | Nominal damages possible per statute irrespective of actual damages. | No nominal damages without an actual breach. | Nominal damages require actual breach; none here. |
| Whether class action is appropriate under the Act | Class action should proceed given numerous potential class members. | Unclear feasibility and statutory limits on class actions under the Act. | Not reached; dismissal based on absence of actual breach. |
Key Cases Cited
- Regents of University of California v. Superior Court, 220 Cal.App.4th 549 (2013) (negligent release requires actual viewing; distinguishes disclose vs. release)
- Brown v. Mortensen, 51 Cal.4th 1052 (2011) (Confidentiality Act protects confidentiality of medical information)
- City of Cotati v. Cashman, 29 Cal.4th 69 (2002) (statutes interpreted to avoid unintended results)
- Schultz v. Harney, 27 Cal.App.4th 1611 (1994) (procedural standards for amendment in demurrer contexts)
- Federico v. Superior Court, 59 Cal.App.4th 1207 (1997) (negligence elements and duty to preserve confidentiality)