California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit
A Californian appellate court has recently confirmed the decision of the lower court to deny class action status for a lawsuit filed against a Californian healthcare provider over an insider data breach that affected 5,485 patients.
In May 2018, the healthcare provider – Muir Medical Group IPA – discovered a former employee had accessed and copied the records of patients before leaving employment and took patient information to her new employer. The investigation determined the breach occurred in December 2017 and affected patients who received treatment between November 2013 and February 2017. The information copied by the employee included names, contact information, treatment information, and other sensitive data.
A lawsuit was filed in the wake of the breach – Vigil v. Muir Medical Group IPA, Inc. – that alleged negligence and violations of the Confidentiality of Medical Information Act (CMIA), the Customer Records Act, and unlawful business practices under the Unfair Competition Law. The lawsuit also alleged violations of the Security Management Process standard of HIPAA, as the employee should not have been able to access the records of many of the patients.
Class action status for the lawsuit was rejected by the trial court, as the claims made by the plaintiff were deemed to be deficient. The court determined the patient’s claims hinged on the alleged CMIA violation. The trial court found the predominance of common questions requirement was not met as, under CMIA, individualized inquiries would be required to prove the defendant’s liability and damages to each of the affected patients, and liability is predicated on whether each of the class members’ records was actually viewed which, based on the facts, was not capable of resolution in the aggregate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The decision was appealed, but the appellate court sided with the defendant, confirming that class action status could not be granted as the plaintiff was unable to show an unauthorized third party had viewed the records of each class member, therefore this was a private issue and class certification was not appropriate. The appellate court also ruled the plaintiff had no viable claim under CMIA due to failure to demonstrate the healthcare provider had negligently maintained or stored patient information, then lost that information due to its negligence.
