THE REGENTS OF THE UNIVERSITY OF CALIFORNIA, Petitioner, v. THE SUPERIOR COURT OF LOS ANGELES COUNTY, Respondent; MELINDA PLATTER, Real Party in Interest.
No. B249148
Second Dist., Div. Seven
Oct. 15, 2013
Petitions for a rehearing were denied November 13, 2013
220 Cal. App. 4th 548 | 163 Cal. Rptr. 3d 205
PERLUSS, P. J.
THE REGENTS OF THE UNIVERSITY OF CALIFORNIA, Petitioner, v. THE SUPERIOR COURT OF LOS ANGELES COUNTY, Respondent; MELINDA PLATTER, Real Party in Interest.
Charles F. Robinson, Karen J. Petrulakis, Margaret L. Wu; Munger, Tolles & Olson, Bradley S. Phillips and Michelle T. Friedland for Petitioner.
Lois J. Richardson for California Hospital Association as Amicus Curiae on behalf of Petitioner.
Pillsbury Winthrop Shaw Pittman, Kevin M. Fong and Sarah G. Flanagan for Lucile Packard Children‘s Hospital and Stanford Hospital and Clinics as Amici Curiae on behalf of Petitioner.
Francisco J. Silva and Lisa Matsubara for California Medical Association as Amicus Curiae on behalf of Petitioner.
Bartko, Zankel, Bunzel & Miller, Robert H. Bunzel, William I. Edlund, Michael D. Abraham and Simon R. Goodfellow for Sutter Health, Sutter Medical Foundation and Sutter Connect as Amici Curiae on behalf of Petitioner.
No appearance for Respondent.
Kabateck Brown Kellner, Brian S. Kabateck, Richard L. Kellner; Ernst Law Group, Don A. Ernst and Taylor Ernst for Real Party in Interest.
PERLUSS, P. J.-The Confidentiality of Medical Information Act (CMIA) (
Under CMIA every health care provider who creates, maintains or disposes of medical information is also required to do so in a manner that preserves the confidentiality of that information. (
Does this statutory scheme authorize a private cause of action for damages based solely on the negligent maintenance or storage of medical information even if the patient‘s confidential records were never viewed or otherwise accessed by an unauthorized individual? Specifically, has a cause of action for nominal or statutory damages of $1,000 been adequately pleaded by real party in interest and putative class plaintiff Melinda Platter, who has alleged the Regents of the University of California, through its University of California at Los Angeles (UCLA) health system (UCLA Health System), failed to have reasonable systems and controls in place to prevent the removal of protected medical information from one of its hospitals and, as a result, negligently lost possession of that information?
Ruling a damage claim may be stated under section 56.101, subdivision (a), based on a health care provider‘s negligent maintenance or storage of an individual‘s medical information without regard to whether it resulted in any actual release or disclosure of the information, respondent Los Angeles Superior Court overruled the Regents‘s demurrer to Platter‘s complaint. Although we do not agree with the Regents‘s argument an affirmative communicative act by the health care provider is an essential element of
FACTUAL AND PROCEDURAL BACKGROUND
1. The Loss of the Encrypted External Hard Drive and Platter‘s Complaint for Violation of CMIA
In a letter dated November 4, 2011 signed by Robert Gross, chief privacy officer of the UCLA Health System and David Geffen School of Medicine, the Regents advised certain patients treated at UCLA facilities that an encrypted external hard drive containing some of their personally identifiable medical information had been stolen as part of a home invasion robbery approximately two months earlier. The letter also informed the recipients the password for the encrypted information was written on an index card near the device and that card could not be located. The letter stated, “The theft was reported to the police and there is no evidence suggesting that your information has been accessed or misused.” A public notice regarding the incident was published in the Los Angeles Times for three consecutive days from November 4 to 6, 2011.2
On October 30, 2012 Platter filed a class action complaint in Los Angeles Superior Court seeking damages from the Regents in a single cause of action for unlawful disclosure of confidential medical information in violation of CMIA. Platter alleged she had been treated on numerous occasions at Ronald Reagan UCLA Medical Center and was one of more than 16,000 UCLA Health System patients who had been notified of the loss of the external hard drive and the related password needed to decode the encrypted data. According to Platter‘s complaint, a physician in the UCLA Faculty Practice Group took the external hard drive, which contained patient names, dates of birth, addresses, financial information and medical records, to his home and left it unsecured with the encryption password. On or about September 6, 2011 the hard drive and written password were taken from the physician‘s home. As of the date of the complaint neither the hard drive nor the encryption password had been recovered.
2. The Regents‘s Demurrer; Platter‘s Response
The Regents demurred to the complaint on January 18, 2013 pursuant to
In her response Platter disputed the Regents‘s construction of the governing statutes. According to Platter, CMIA provides a cause of action for statutory damages in any case where it can be proved a health care provider‘s negligence was the proximate cause of an unauthorized third party obtaining confidential patient information, whether the third party is a thief or the intended recipient of the provider‘s affirmative or intentional act of communication.
3. The Superior Court‘s Order Overruling the Demurrer but Striking Portions of the Complaint
The superior court heard oral argument on April 11, 2013. On April 19, 2013 the court issued a 16-page ruling and order, overruling the Regents‘s demurrer but striking a portion of Platter‘s cause of action for violation of CMIA.
Relying upon what it concluded was the plain meaning of the terms at issue, the court agreed with the Regents that, under the facts as alleged, there was no disclosure of confidential information, a prerequisite to a claim for violation of section 56.10. However, the court also ruled CMIA established two separate types of wrongful conduct-wrongful disclosure of confidential medical information under section 56.10 and wrongful maintenance and storage of confidential information under section 56.101: “[T]he negligent maintenance, preservation, and storage of confidential data under § 56.101 specifically provides the remedy of $1,000 in nominal damages . . . . This is because the remedy portion of § 56.36(b) and (c) is incorporated by reference into § 56.101. As such, on the face of the statute, there is no requirement under § 56.101 that, to be eligible for the $1,000 nominal damages (or, as the case may be, actual damages), that there also have been a negligent release of the confidential information under § 56.36(b).”
Based on this analysis of the statutory scheme, the court overruled the demurrer, finding Platter had stated a claim for violation of CMIA because she alleged the Regents “failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Nevertheless, because Platter had not alleged any affirmative disclosure of confidential information by the Regents, the court struck that portion of her CMIA claim premised on the allegation (in par. 46 of the complaint) that the Regents had “failed to exercise due care to prevent the release or disclosure of private medical information of Plaintiff and the class members without their written authorization.”
4. The Writ Proceedings
On June 4, 2013 the Regents petitioned this court for a writ of mandate directing the superior court to vacate its order overruling the demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action. The petition argued the superior court‘s ruling would create a sweeping private right of action that was not intended by the Legislature, emphasized the Regents‘s potential liability for $16 million in nominal damages under the superior court‘s interpretation of CMIA and asserted the need to expend resources to defend this litigation, rather than resolve the pure legal question raised through this writ proceeding, would create serious difficulties for the Regents.
While initially considering the petition we received letter briefs from amici curiae in support of the Regents‘s position from the Lucile Packard Children‘s Hospital and Stanford Hospital and Clinic, the California Hospital Association and the California Medical Association. Real party in interest Platter submitted an opposition to the petition for writ of mandate, and the Regents filed a reply. On June 25, 2013 we issued an order to show cause why the relief requested in the petition should not be granted. On July 22, 2013 Platter filed her return to the petition, and on August 12, 2013 the Regents filed its reply. On August 23, 2013 we received an amicus curiae brief in support of the Regents from Sutter Health, Sutter Medical Foundation and Sutter Connect, LLC, doing business as Sutter Physician Services, which advised us, in part, the issue presented here is also currently pending before the Third District Court of Appeal (Sutter Health v. Superior Court (C072591)).
DISCUSSION
1. The Propriety of Extraordinary Writ Relief
An order overruling a demurrer is not directly appealable and will rarely be reviewed in a petition for extraordinary writ relief. (See, e.g., Brandt v. Superior Court (1985) 37 Cal.3d 813, 816 [“we are reluctant to exercise our discretion to review rulings at the pleading stage of a lawsuit . . .“]; City of Huntington Park v. Superior Court (1995) 34 Cal.App.4th 1293, 1297.) However, when the question is purely legal and the issue significant, relief by extraordinary writ is appropriate. (Babb v. Superior Court (1971) 3 Cal.3d 841, 851; County of Santa Clara v. Superior Court (2009) 171 Cal.App.4th 119, 125-126; City of Huntington Park, at p. 1297.) Here, the issue of statutory construction raised by the superior court‘s ruling and presented by the Regents‘s petition has not previously been addressed by an appellate court and, based on the amici curiae submissions we have received, appears to be of widespread interest. Accordingly, writ review is appropriate.
2. Standard of Review
A demurrer tests the legal sufficiency of the factual allegations in a complaint. We independently review the superior court‘s ruling on a demurrer and determine de novo whether the complaint alleges facts sufficient to state a cause of action or discloses a complete defense. (McCall v. PacifiCare of Cal., Inc. (2001) 25 Cal.4th 412, 415; Aubry v. Tri-City Hospital Dist. (1992) 2 Cal.4th 962, 967.) We assume the truth of the properly pleaded factual allegations, facts that reasonably can be inferred from those expressly pleaded and matters of which judicial notice has been taken. (Evans v. City of Berkeley (2006) 38 Cal.4th 1, 20; Schifando v. City of Los Angeles (2003) 31 Cal.4th 1074, 1081.) We liberally construe the pleading with a view to substantial justice between the parties. (
We also review de novo issues of statutory construction. (In re Tobacco II Cases (2009) 46 Cal.4th 298, 311; People ex rel. Lockyer v. Shamrock Foods Co. (2000) 24 Cal.4th 415, 432.) In construing statutes “[o]ur fundamental task is to ascertain the intent of the lawmakers so as to effectuate the purpose of the statute[s]. [Citation.] We begin by examining the statutory language, giving the words their usual and ordinary meaning. [Citation.] If there is no ambiguity, then we presume the lawmakers meant what they said, and the plain meaning of the language governs. [Citations.] If, however, the statutory terms are ambiguous, then we may resort to extrinsic sources, including the ostensible objects to be achieved and the legislative history. [Citation.] In such circumstances, we ‘select the construction that comports most closely with the apparent intent of the Legislature, with a view to promoting rather than defeating the general purpose of the statute, and avoid an interpretation that would lead to absurd consequences.‘” (Day v. City of Fontana (2001) 25 Cal.4th 268, 272; accord, People v. Lawrence (2000) 24 Cal.4th 219, 230.)
Section 56.10, subdivision (a), provides, “No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c).”4
Section 56.35 provides, “In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 . . . and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars ($3,000), attorneys’ fees not to exceed one thousand dollars ($1,000), and the costs of litigation.”
Section 56.36, subdivision (a), provides any violation of CMIA that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
Section 56.36, subdivision (b), provides, “In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: (1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. (2) The amount of actual damages, if any, sustained by the patient.”
Section 56.36, subdivision (c), establishes a schedule of escalating administrative fines and civil penalties for unauthorized negligent and willful disclosure or use of confidential patient information in violation of CMIA.
Section 56.101, subdivision (a), provides, “Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical
4. The Complaint Fails to State Facts Sufficient to Constitute a Cause of Action for Statutory Damages Under CMIA
The superior court found, and the Regents does not dispute, Platter‘s complaint adequately alleges the Regents violated the duty imposed by section 56.101, subdivision (a), to maintain and store medical information in a manner that preserves the confidentiality of that information. (Cf. Mack v. Soung (2000) 80 Cal.App.4th 966, 971 [all properly pleaded allegations deemed true for purposes of demurrer regardless of plaintiff‘s ability to later prove them].) The Regents, therefore, is potentially “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (
a. A cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof that the plaintiff‘s confidential information has been released to a third party
Obviously troubled by the implications of its conclusion that “disclose,” as used in section 56.10, subdivision (a), and “release[],” as used in section 56.36, subdivision (b), are synonymous and that both require an affirmative communicative act, as the Regents had argued the issue we discuss in the following section of this opinion-the superior court determined CMIA defined “two separate species of wrongful conduct” and “two separate violations“: the wrongful disclosure of confidential medical information under section 56.10 and the wrongful maintenance and storage of confidential information under section 56.101, subdivision (a). In the absence of proof of actual damages, the remedy for the negligent release of information, which the court equated with its wrongful disclosure, is $1,000 in nominal or
The superior court read section 56.101, subdivision (a)‘s incorporation of “the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36” far too narrowly. The remedy provided in subdivision (b) is the right of an individual whose confidential information has been released in violation of CMIA to bring a private cause of action for nominal and/or actual damages. (See Legis. Counsel‘s Dig., Sen. Bill No. 19 (1999-2000 Reg. Sess.) 5 Stats. 1999, Summary Dig., p. 218 [“the bill would provide that violation of the act would be grounds for suspension o[r] revocation of a health care service plan‘s license and would create a right of action to recover damages, as specified, for any individual whose confidential information or records are negligently released . . .“].) By incorporating the entire subdivision (b) “remedy,” and not simply the measure of damages described in subdivision (b)(1) and (2), the Legislature plainly intended an action predicated on a health care provider‘s negligent maintenance of confidential information in violation of section 56.101 also plead and prove a release of that information.
This use of the term “remedy” to refer to the private cause of action itself, rather than to the particular form of relief available, is hardly unusual. (See, e.g., Munson v. Del Taco, Inc. (2009) 46 Cal.4th 661, 673 [addition of subd. (f) to § 51, part of the Unruh Civil Rights Act (§ 51 et seq.), which incorporated the Americans with Disabilities Act of 1990 (ADA;
Any lingering uncertainty about this interpretation of the elements of a private cause of action based on negligent maintenance of medical records is dispelled by the original language of Senate Bill No. 19 (1999-2000 Reg. Sess.) (Senate Bill No. 19), which added both sections 56.101 and 56.36, subdivisions (b) and (c), to CMIA, effective January 1, 2000. (Stats. 1999, ch. 526, §§ 3, 8, pp. 3647, 3650.)5 As enacted in 1999, in addition to imposing a duty on health care providers to maintain and store medical records “in a manner that preserves the confidentiality of the information contained therein,” section 56.101 stated, “Any provider of health care, health care service plan, or contractor who negligently disposes, abandons, or destroys medical records shall be subject to the provisions of this part“-that is, to the provisions of CMIA. (Stats. 1999, ch. 526, § 3, p. 3647, italics added.) Thus, as originally enacted under Senate Bill No. 19, negligent preservation of confidential patient information would expose a health care provider not only to administrative sanctions under new section 56.36, subdivision (c), but also to the new private cause of action established in section 56.36, subdivision (b), as well as potentially to a damage action under section 56.35 and a criminal (misdemeanor) proceeding under section 56.36, subdivision (a). There was no separate, stand-alone private cause of action for violation of section 56.101.
The following year, as part of legislation making technical and clarifying changes to CMIA, section 56.101 was amended to substitute “negligently creates, maintains, preserves, stores” for “negligently disposes” and to replace “subject to the provisions of this part” with “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (Stats. 2000, ch. 1067, § 4, p. 8209; see Sen. Com. on Ins., Analysis of Sen. Bill
Notwithstanding its conclusion that section 56.101 incorporated only the measure of damages specified in section 56.36, subdivision (b), and not the other elements of subdivision (b)‘s private cause of action, the superior court implicitly acknowledged the flaw in its analysis and recognized that more than a bare allegation of negligent maintenance of confidential information by a health care provider is required to recover nominal or statutory damages. Thus, the superior court did not rule, and Platter herself does not argue, a cause of action may be stated under section 56.101, subdivision (a), by any patient of a health care provider who has negligently maintained or stored some of its confidential medical records, let alone by someone who is not even a patient of the provider. At the very least, the information potentially compromised as a result of the negligent conduct must relate to the individual initiating the action, consistent with section 56.36, subdivision (b)‘s requirement that the “confidential information or records [at issue] concern[] him or her.” Yet this minimum threshold requirement must necessarily be based on the incorporation of at least some of the affirmative elements of the private damage remedy created by section 56.36, subdivision (b); there is no other statutory ground on which it could stand.6
Here, Platter has satisfied this initial pleading requirement, alleging (as reported in the notice she received from UCLA Health System) that her confidential medical records were among those on the external hard drive taken from the physician‘s home on September 6, 2011. For the reasons
b. A cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof of a release of the information but not an affirmative communicative act by the health care provider
Although we agree with the Regents an action for nominal damages under sections 56.101, subdivision (a), and 56.36, subdivision (b), requires pleading and proof of a “release” of confidential information, that does not mean, as the Regents contends, an affirmative communicative act by the health care provider is an essential element of Platter‘s claim. Specifically, “release” as used in section 56.36, subdivision (b), is not synonymous with “disclose” in section 56.10, subdivision (a), and the Regents posits a false dichotomy between disclosure or release, on the one hand, and “unauthorized ‘access’ by third parties,” on the other hand.
i. “To disclose” and “to release” are not synonymous
CMIA does not define “disclose” or “release.” As a matter of their common or ordinary dictionary meanings, however, “to disclose” and “to release” are not synonymous. (See generally Angelucci v. Century Supper Club (2007) 41 Cal.4th 160, 168 [“[i]n interpreting a statute, we first consider its words, giving them their ordinary meaning and construing them in a manner consistent with their context and the apparent purpose of the legislation“].) “Disclose,” as the Regents explains, is an active verb, denoting in the context of CMIA and the protections afforded confidential medical information an affirmative act of communication.7 But “to release” is broader, including not only “to give permission for publication, performance, exhibition, or sale of” or “to make available to the public,” the definitions identified by the superior court,8 and “to set free from restraint, confinement, or servitude . . . to let go,” among the definitions proffered by
ii. Established principles of statutory construction require we ascribe different meanings to different words used in the same statutory scheme and avoid an interpretation that would render any provision superfluous
This plain meaning construction of sections 56.101 and 56.36, subdivision (b), is reinforced by our obligation to interpret different terms used by the Legislature in the same statutory scheme to have different meanings. (Roy v. Superior Court (2011) 198 Cal.App.4th 1337, 1352 [” ‘when the Legislature uses different words as part of the same statutory scheme, those words are presumed to have different meanings’ “]; Romano v. Mercury Ins. Co. (2005) 128 Cal.App.4th 1333, 1343 [same]; see Brown v. Kelly Broadcasting Co. (1989) 48 Cal.3d 711, 725 [” ‘when the Legislature has carefully employed a term in one place and has excluded it in another, it should not be implied where excluded’ “].) The Legislature elected to define the private cause of action created by section 56.36, subdivision (b), in terms of a negligent release of information, rather than a negligent disclosure. There is no reason to believe that decision was anything but deliberate.
The provisions in Senate Bill No. 19 expanded the private right of action for individuals whose medical information had been compromised in several different ways. First, new section 56.36, subdivision (b), created a private cause of action for the negligent release of medical records, not only for their unauthorized disclosure or use. (Stats. 1999, ch. 526, § 8, p. 3650.) Second, in addition to authorizing an action for compensatory damages for the negligent release of confidential information or records in subdivision (b)(2), section 56.36, subdivision (b)(1), expressly provides that nominal (statutory) damages of $1,000 are available for a patient whose confidential information was negligently released without proof “that the plaintiff suffered or was threatened with actual damages.” Moreover, by virtue of section 56.101 health care providers are now charged with the duty not only to refrain from unauthorized disclosures of confidential medical information but also to maintain such information “in a manner that preserves the confidentiality of the information contained therein” (former § 56.101; Stats. 1999, ch. 526, § 3, p. 3647)-storage-related duties far broader than the duty created by section 56.10.
For our purposes two aspects of this legislation bear emphasis. First, section 56.36, subdivision (b)(2), permitting the recovery of actual damages for the negligent release of confidential medical information or records, would be superfluous in light of section 56.35, if “release” as used in section 56.36, subdivision (b), were synonymous with “disclose” as used in sections 56.10 and 56.35. When interpreting a statute, ” ‘[w]ords must be construed in context, and statutes must be harmonized, both internally and with each other to the extent possible.’ [Citation.] Interpretations that lead to absurd results or render words surplusage are to be avoided.’ ” (People v. Loeun (1997) 17 Cal.4th 1, 9; accord, Dyna-Med, Inc. v. Fair Employment & Housing Com. (1987) 43 Cal.3d 1379, 1387 [“A construction making some words surplusage is to be avoided. The words of the statute must be construed in context, keeping in mind the statutory purpose, and statutes or statutory
Second, at the same time it created a private cause of action for the negligent release of confidential medical information in section 56.36, subdivision (b), the Legislature created a new system of administrative fines and civil penalties for the negligent or willful use or disclosure of such information in violation of CMIA in section 56.36, subdivision (c). Again, our obligation to interpret different terms used by the Legislature in the same statutory scheme to have different meanings requires we reject the Regents‘s argument that “to disclose” information and “to release” it within the meaning of CMIA are synonymous and that both require an affirmative communicative act. In sum, by incorporating the remedy provision of section 56.36, subdivision (b), in section 56.101, the Legislature simply did not intend a private cause of action under section 56.101 for negligent maintenance or disposal of confidential medical information to be limited to instances in which the health care provider disseminated the information through an affirmative communicative act.
Indeed, if an affirmative communicative act by the health care provider were required to state a claim under sections 56.101-that is, if only the negligent disclosure of that information, not just its negligent storage leading to unauthorized access, could support an award of civil damages the second sentence of former section 56.101 (now § 56.101, subd. (a)) expressly providing remedies for violations of section 56.101 would be superfluous. The Regents attempts to avoid this untenable conclusion by noting that section 56.101 applies to pharmaceutical companies, which are not covered by section 56.10. Thus, it reasons, section 56.101 has independent significance because a private cause of action now exists against pharmaceutical companies that negligently maintain and release medical information. But pharmaceutical companies were not added to section 56.101 until 2002. (Stats. 2002, ch. 853, § 2, p. 5377.) This after-the-fact development does nothing to validate the Regents‘s interpretation of section 56.101‘s remedial provisions an interpretation that would mean those provisions, when adopted in 1999, were simply redundant and thus unnecessary.
Nor are we persuaded by the Regents‘s observation that the Legislature may create certain duties that are not enforceable through any private cause of action. Although that is certainly true (see, e.g., Lu v. Hawaiian Gardens Casino, Inc., supra, 50 Cal.4th at p. 596), it does little to explain what the Legislature intended when it provided, first, that violation of the duty
iii. Subsequent legislation to further protect confidential medical information does not support the Regents‘s cramped interpretation of sections 56.101 and 56.36, subdivision (b)
Finally, we reject the Regents‘s argument that a private cause of action under sections 56.101 and 56.36, subdivision (b), must include pleading and proof of an affirmative disclosure by the health care provider because in 2008, some years after those provisions were adopted, the Legislature enacted new regulatory safeguards for confidential medical records that expressly addressed unlawful or unauthorized “access” to such information, as well as its unauthorized use or disclosure. (
As noted, both of these additional, related regulatory schemes cover unauthorized disclosure of confidential medical information, as well as improper access, and thus unquestionably overlap with the protections provided by section 56.10. Nothing in these statutes or their legislative history, however, suggests the Legislature, in providing these additional protections for confidential medical information, intended to modify or displace existing private remedies under sections 56.36 or 56.101 for the negligent storage or disposal of such information.
To be sure, as the Regents observe, an Assembly Committee analysis of Senate Bill No. 541 (Reg. Sess. 2007-2008), which became Health and Safety
c. Pleading negligent maintenance and loss of possession of confidential medical information is insufficient to state a cause of action under sections 56.101 and 56.36, subdivision (b)
Apparently recognizing that negligent storage or disposal of confidential information alone is not actionable under sections 56.101 and 56.36, subdivision (b), in overruling the Regents‘s demurrer the superior court quoted Platter‘s allegation (in par. 46 of her complaint) that the Regents “failed to have reasonable systems and controls in place to prevent the
Platter‘s pleading is honest. Because no one (except perhaps the thief) knows what happened to the encrypted external hard drive and the password for the encrypted information, she cannot allege her medical records were, in fact, viewed by an unauthorized individual. But it is also deficient. Even under the broad interpretation of “release” we believe the Legislature intended in section 56.36, subdivision (b), as incorporated into section 56.101, more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information. (See generally Kirkwood v. Bank of America (1954) 43 Cal.2d 333, 341 [“[w]ords may not be inserted in a statutory provision under the guise of interpretation“]; Schroeder v. Irvine City Council (2002) 97 Cal.App.4th 174, 194 [same].) What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff‘s medical information was breached as a result of the health care provider‘s negligence.14 Because Platter‘s complaint failed to include any such allegation, the Regents‘s demurrer should have been sustained without leave to amend and the case dismissed.15
The petition is granted. Let a peremptory writ of mandate issue directing the superior court to vacate its order overruling the Regents‘s demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing Platter‘s action. The parties are to bear their own costs in this proceeding.
Woods, J., and Zelon, J., concurred.
Petitions for a rehearing were denied November 13, 2013, and the opinion was modified to read as printed above.
Reynolds v. Bement (2005) 36 Cal.4th 1075, 1091-1092 [argument regarding possible amendment of complaint not properly raised for first time in petition for rehearing].) Moreover, Platter concedes there are other means by which her personal information may have been obtained, and the Regents has presented information the theft of the external hard drive occurred in Hawaii, not Southern California as Platter has assumed and where the identity theft apparently took place. Under the circumstances there are simply too many layers of speculation required for these minimal facts to be considered sufficient to overcome the deficiency in Platter‘s complaint. (See Sandler v. Sanchez (2012) 206 Cal.App.4th 1431, 1437 [leave to amend should not be granted where amendment would be futile]; Vaillette v. Fireman‘s Fund Ins. Co. (1993) 18 Cal.App.4th 680, 685 [same].)