Dive Brief:
- A California appellate court has dismissed a privacy suit targeting Sutter Health that could have cost the health system upwards of $4 billion.
- The court ruled that the millions of patients whose personal, medical and insurance records were on the hard drive of a stolen computer didn't have grounds to seek civil damages, as they hadn't shown that any unauthorized persons viewed the hard drive's contents.
- The suit, which sought $1,000 in compensation for each of the 4 million patients whose privacy might have been violated, comes on the heels of a Sutter announcement that a desktop computer was stolen from one of its offices in November 2011.
Dive Insight:
According to the appellate court, allowing for damages under the state's confidentiality statute in this situation could lead to illogical consequences. For example, the decision held that by the plaintiffs' reasoning, Sutter could be held liable even if the thieves had wiped the stolen drive clean and never had any contact with the private patient data.
Still, that doesn't change that Sutter patients have reason to be concerned if its IT department hasn't stepped up its security procedures. At the time of the theft, data on 4 million patients was stored in password-protected but unencrypted format, and the office in which the computer was stored didn't have security alarms or cameras. In a time when patient data is becoming increasingly attractive to thieves, leaving such data relatively exposed is a massive risk.