Share this article on:
Under the California Confidentiality of Medical Information Act (CMIA), companies can be fined billions of dollars for breaches in security leading to the loss of patient medical data. A Californian health care organization has recently escaped a fine of $4 billion after it lost the medical records of over 4 million of its patients. The court case saw plaintiffs filing for $1,000 in damages for the loss of data that occurred when a hard drive containing the unencrypted patient database was stolen from a health care center.
The company avoided paying damages because while the laptop – and the data – was clearly stolen; it was not possible to determine if the data had been viewed. Without proof that the data had been accessed by an unauthorized individual, it was not possible to determine on the balance of probabilities that an “injury” had been sustained for which the defendant could be held liable.
Because statutory damages of $1,000 can be claimed under CMIA law, any data theft or loss often results in legal action being commenced on the grounds of professional negligence, regardless of whether any injury or loss has been sustained by the victims. However, this case serves as a reminder of the aim and intent of the CMIA, which is to ensure that medical data remains private and confidential, not to take action if the data has come into the possession of an unauthorized individual. The message is clear to would be claimants. A claim cannot be made until such point that it can be determined – and proven – that confidential medical data has been viewed.
The ruling by the California Court of Appeals is not the first of this nature. Last year a case was filed and the claim was also rejected on the grounds that data had not been viewed, accessed or otherwise improperly used. Both rulings are likely to prevent further claims from being filed where only loss of data can be established.
Even with the verdict going against the claimants the latest case should serve as a warning to organizations; the ruling was only in favor of the defendants because no proof could be obtained. Other companies and organizations may not be so fortunate, and databases and devices should have data encrypted to reduce liability in the event of data loss. Simply encrypting databases shows that a company is committed to protecting the privacy of its patients and allows for a much stronger defense to be mounted should a claim for compensation ever be filed.
Data breaches often result from the loss of memory sticks and theft of lap-top computers, with the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) is now threatening to fine offenders for serious violations such as failing to encrypt ePHI on portable devices.
Higher fines are becoming commonplace with damages in excess of $1 million increasing common in recent years. However the damage to an organization’s reputation after the loss of medical data can cause even greater financial damage.
It is therefore essential that appropriate policies are adopted not only to limit the internal and external threat of cyber attacks, but also that strategies are implemented to educate personnel on cybersecurity risks.