California Court of Appeals, Fourth District, Second Division
ORIGINAL PROCEEDINGS; petition for writ of mandate. Super.Ct.No. INC1108128, Harold W. Hopp, Judge.
Horvitz & Levy, Lisa Perrochet, Steven S. Fleischman; Baker & Hostetler, Michael R. Matthias and Dawn Kennedy for Petitioner.
No appearance for Respondent.
Harris & Ruble, Alan Harris, Priya Mohan and Dave Zelenski for Real Parties in Interest.
McKINSTER, Acting P. J.
Petitioner Eisenhower Medical Center (EMC) seeks writ review of an order denying its motion for summary adjudication of a cause of action under the Confidentiality of Medical Information Act (CMIA). (Civ. Code, § 56 et seq.) We grant EMC’s petition, concluding that a health care provider cannot be held liable under the relevant portions of the CMIA for the release of an individual’s personal identifying information that is not coupled with that individual’s medical history, mental or physical condition, or treatment.
FACTUAL AND PROCEDURAL BACKGROUND
A computer was stolen from EMC on March 11, 2011, containing an index of over 500, 000 persons to whom EMC had assigned a clerical record number dating back to the 1980’s. The information included each person’s name, medical record number (MRN), age, date of birth, and last four digits of the person’s Social Security number (SSN). This information on the computer was password protected but not encrypted. A couple of weeks later, EMC sent out notice to these individuals informing them of the theft.
Real parties in interest (Plaintiffs) are a few of the individuals whose names were on the index. They filed the underlying action as a putative class action against EMC seeking nominal damages of $1, 000 each under the CMIA. The complaint also includes a second cause of action for violation of the Customer Records Act (CRA) (§ 1798.82), which requires notification to consumers when security systems are breached.
EMC moved for summary judgment or adjudication contending that the theft of the computer did not result in a disclosure of medical information of any of the listed persons. Information about an individual’s medical history, condition, or treatment is saved only on EMC’s servers located in the data center. The index that was on the stolen computer is a subset of information from its master patient index and can be used in case of a power outage or network failure to ...