Ex-employee downloaded copies of patients' insurance and clinical information, California company admits
A class action against Muir Medical Group IPA, Inc. claimed that it failed to secure the private medical information of thousands of patients and let a former employee download this information and take it with her upon leaving her employment.
In the case of Vigil v. Muir Medical Group IPA, Inc., Muir’s chief executive officer notified certain patients that a data breach might have affected their personal information. Muir discovered that a former employee took certain information in its possession before her employment ended.
Muir investigated the incident and stated that there was no evidence that personal information was misused. However, Muir admitted that the former employee downloaded copies of patients’ information, including insurance and clinical information.
Read more: California court rules on alleged hack of workers' compensation litigation files
The plaintiff, who was one of the patients who received Muir’s notice, sought to file a class action claiming breach of the Confidentiality of Medical Information Act (CMIA), violation of the Customer Records Act, unlawful and unfair business practices under the Unfair Competition Law, and negligence.
She alleged that, under the Health Insurance Portability and Accountability Act’s security management process standard, Muir’s employees should not have access to records regarding around 5,500 patients without a compelling reason and should not be able to take sensitive patient information. She further claimed that Muir negligently released patients’ medical information without their authorization.
The plaintiff filed a motion for class certification. The trial court denied the motion upon finding, in connection with the CMIA claim, that each class member would have to show that an unauthorized party breached the confidential nature of their medical information as required by the case of Sutter Health v. Superior Court (2014).
The plaintiff appealed. The California Court of Appeal for the First District agreed with the trial court’s decision.
First, the appellate court ruled that the trial court properly interpreted and applied the CMIA. Second, the appellate court held that the plaintiff failed to show that a breach of confidentiality could be established on a class-wide basis.
The appellate court found that the mere ability of an unauthorized party to access information could not support the CMIA claim. Each individual bringing a private claim should show that an unauthorized party actually viewed their confidential medical information and that the health care provider’s negligence led to a breach of the information’s confidential nature, the appellate court said.
Read more: Should HR monitor employees’ social media accounts?
Third, the appellate court determined that the trial court appropriately found that individual issues would predominate over common issues. While the evidence showed that the employee might have viewed some information on the patient spreadsheet, it did not prove that the information was seen by other unauthorized parties or was posted or disclosed in a public forum.
Thus, most or all of the nearly 5,500 potential class members could not maintain their CMIA claims against Muir unless they could establish that an unauthorized party viewed their confidential medical information and that Muir’s negligence caused this confidentiality breach, the appellate court concluded.