OPINION
NICHOLSON, Acting P. J. —
The Confidentiality of Medical Information Act, which we refer to in this opinion as the Confidentiality Act, protects the confidentiality of patients' medical information. (Civ. Code, § 56 et seq.; all remaining unspecified code citations are to the Civil Code.) Among other remedies, the Confidentiality Act provides for an award of $1,000 in nominal damages to a patient if the health care provider negligently releases medical information or records in violation of the Confidentiality Act. (§ 56.36, subd. (b)(1).)
In this case, a thief stole a health care provider's computer containing the medical records of about four million patients. The plaintiffs filed an action under the Confidentiality Act, seeking to represent, in a class action, all of the patients whose records were stolen, with a potential award of about $4 billion against the health care provider. The health care provider demurred to the complaint and moved to strike the class allegations, but the trial court overruled the demurrer and denied the motion to strike. On the petition of the health care provider, we issued an alternative writ of mandate to review the trial court's rulings.
We conclude that the plaintiffs have failed to state a cause of action under the Confidentiality Act because they do not allege that the stolen medical information was actually viewed by an unauthorized person. We therefore grant the health care provider's petition for a peremptory writ of mandate and direct the trial court to sustain the health care provider's demurrer without leave to amend and dismiss the action.
The parties also argue other questions such as whether a class action is proper under these circumstances and whether a potential award of about $4 billion in nominal damages would violate the health care provider's due process rights. We do not reach these questions because our conclusion that the plaintiffs have not stated a cause of action for violation of the Confidentiality Act resolves the petition for relief.
BACKGROUND
The real parties in interest (the plaintiffs) allege that the petitioners (Sutter Health and several other defendants, which we refer to in this opinion simply as Sutter Health because there is no reason to differentiate) violated sections 56.10 and 56.101, part of the Confidentiality Act, which invoked the remedy provision of section 56.36. The relevant parts of those statutes provide as follows:
"A provider of health care ... shall not disclose medical information regarding a patient of the provider of health care ... without first obtaining an authorization, except as provided in subdivision (b) or (c)." (§ 56.10, subd. (a).) Subdivisions (b) and (c) list circumstances under which the health care provider must or may disclose records. None of those circumstances is relevant to this action.
"Every provider of health care ... who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care ... who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." (§ 56.101, subd. (a).)
"In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: [¶] (1) ... nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. [¶] (2) The amount of actual damages, if any, sustained by the patient." (§ 56.36, subd. (b).)
These proceedings are based on the well-pleaded facts alleged in the plaintiffs' complaint. (Brown v. Mortensen (2011) 51 Cal.4th 1052, 1057, fn. 1 [126 Cal.Rptr.3d 428, 253 P.3d 522] (Brown).)
Sutter Health maintained medical records concerning the plaintiffs. In October 2011, someone broke into an office of Sutter Health and stole a desktop computer. The medical records of more than four million patients were stored on the computer's hard drive in password-protected but unencrypted format, and the office from which the computer was taken did not have a security alarm or security cameras.
In November 2011, Sutter Health publicly announced that the medical records had been stolen. Soon after the announcement, the plaintiffs began filing individual complaints alleging violation of the Confidentiality Act. Those actions were coordinated, and a master complaint was filed.
The complaint does not allege that any unauthorized person has actually viewed the stolen records from the password-protected but unencrypted hard drive. Instead, the complaint alleges: "Plaintiffs are informed and believe that potential misuses of personal medical information may not manifest itself for numerous years, and furthermore that credit monitoring services survey only a small segment of such potential misuses."
The plaintiffs model their complaint as a class action, seeking to represent "[a]ll persons residing in the State of California whose `medical information'... was present on a computer stolen [in October 2011] from [Sutter Health]." (Italics omitted.) The complaint alleges that Sutter Health violated sections 56.10 and 56.101, part of the Confidentiality Act, and seeks an award of $1,000 in nominal damages for each class member under section 56.36, subdivision (b)(1). Because the complaint alleges that Sutter Health violated the Confidentiality Act with respect to about four million patients and seeks $1,000 per patient, the complaint potentially seeks about $4 billion in nominal damages.
Sutter Health filed a demurrer to the complaint. It argued, among other things, that the complaint does not state a cause of action under the Confidentiality Act because it does not allege that any unauthorized person has viewed the stolen medical information. Sutter Health also filed a motion to strike the class allegations in the complaint because, among other things, the Confidentiality Act allows individual actions only.
The trial court overruled the demurrer. It held that the complaint sufficiently pleaded a cause of action for breach of the Confidentiality Act without alleging that an unauthorized person had viewed the medical information.
The court also denied the motion to strike. It did not reach the merits of whether the Confidentiality Act allows a class action. Instead, it ruled that the question would more appropriately be addressed in class certification proceedings, which had not yet taken place. (The court struck a prayer for injunctive and equitable relief in the complaint, but that part of the ruling is not at issue in these proceedings.)
Sutter Health filed a petition for writ of mandate, and we issued an alternative writ.1
DISCUSSION
(1) The plaintiffs failed to state a cause of action under the Confidentiality Act because they failed to allege a breach of confidentiality. The mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records. Therefore, the trial court should have sustained Sutter Health's demurrer.
Regents of University of California v. Superior Court
Before we discuss the application of the Confidentiality Act to the facts as pleaded in this case, we turn to a recent decision of the Court of Appeal, Second Appellate District, Division Seven. (Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549 [163 Cal.Rptr.3d 205] (Regents) (opn. by Perluss, P.J. with Woods & Zelon, JJ., conc.)). The parties in this case provided supplemental briefing on the effect of Regents on the issues presented here.
In Regents, a physician took home an external hard drive with encrypted medical information on it. He kept the encryption password on a card with the computer. During a home invasion robbery, the external hard drive and the card with the password were taken from the physician's home. (Regents, supra, 220 Cal.App.4th at p. 554.) The plaintiff, whose medical information was on the hard drive along with the medical information of more than 16,000 other patients, did not allege that the medical records were viewed by an unauthorized person. (Id. at pp. 554, 570.)
The plaintiff in Regents filed a complaint alleging violation of the Confidentiality Act and seeking $1,000 in nominal charges for her and for each of the more than 16,000 other patients whose medical information was on the hard drive. (Regents, supra, 220 Cal.App.4th at pp. 554-555.) The defendant health care provider demurred to the plaintiff's complaint, and the trial court overruled the demurrer. (Id. at pp. 555-556.) The Court of Appeal, however, issued a writ of mandate directing the trial court to sustain the demurrer and dismiss the action. (Id. at p. 571.)
Three elements of the Regents decision are relevant to our discussion of the issues in this case.
First, the Regents court made the following preliminary statement about the application of section 56.101 to the facts of that case: "The superior court found, and the Regents does not dispute, [plaintiff's] complaint adequately alleges the Regents violated the duty imposed by section 56.101, subdivision (a), to maintain and store medical information in a manner that preserves the confidentiality of that information. [Citation.]" (Regents, supra, 220 Cal.App.4th at p. 560.) After making this statement, the Regents court went on to consider whether, having violated section 56.101, the health care provider is subject to nominal damages under section 56.36. As we explain below, we do not agree that section 56.101 is violated without an actual confidentiality breach.
Second, the Regents court considered the health care provider's argument that negligent release, as the term is used in section 56.36, subdivision (b), requires an affirmative communicative act. In other words, having the records stolen is not a release of the records because the health care provider did not affirmatively communicate the information in those records. (Regents, supra, 220 Cal.App.4th at pp. 564-565.) The court rejected the argument. It differentiated between "disclose" and "release" as used in the Confidentiality Act. "Disclosure" is covered in section 56.10, subdivision (a) and refers to affirmative communicative acts — giving out medical information on a patient. On the other hand, release of medical information, as "release" is used in section 56.36, is broader. The court said: "[U]nder the usual and ordinary meaning of the statutory language, a health care provider who has negligently maintained confidential medical information and thereby allowed it to be accessed by an unauthorized third person — that is, permitted it to escape or spread from its normal place of storage — may have negligently released the information within the meaning of [the Confidentiality Act]." (Regents, supra, at p. 565, italics added, fn. omitted.)
For the purpose of this writ petition, we will assume without deciding that Regents is correct in this regard — that negligent release under section 56.36 does not require an affirmative communicative act but instead can be accomplished by negligently allowing information to end up in the possession of an unauthorized person.
Third and finally, the Regents court held that to qualify for an award of nominal damages under section 56.36, subdivision (b)(1), a plaintiff must plead and prove that the records (in both that case and this case, the stolen records) were actually viewed by an unauthorized person. (Regents, supra, 220 Cal.App.4th at pp. 569-570.) The court said: "Even under the broad interpretation of `release' we believe the Legislature intended in section 56.36, subdivision (b), as incorporated into section 56.101, more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information. [Citations.] What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff's medical information was breached as a result of the health care provider's negligence." (Regents, supra, at p. 570, fn. omitted.)
(2) As we explain below, we agree with this conclusion, but we arrive at the conclusion differently from the Regents court by finding that, without an actual confidentiality breach, a health care provider has not violated section 56.101 and therefore does not invoke the remedy provided in section 56.36.
Before we consider the statutes at issue, we must consider the plaintiffs' argument that Regents is factually distinguishable from this case and cannot be used as on-point precedent. The plaintiffs argue that the loss of the medical information in this case was "far more egregious" than the loss of medical information in Regents because the electronic files in that case were encrypted while the electronic files in this case were unencrypted. We disagree concerning the effect of encryption. Although the electronic files in Regents were encrypted, the thief apparently also took the encryption password, which was with the hard drive. That is tantamount to leaving the files unencrypted. Here, although the files were not encrypted, they were password protected. In any event, the main pleading problem for the plaintiffs in this case and in Regents is the same: there is no allegation that the medical information was viewed by an unauthorized person. The factual differences in Regents do not temper its application to the facts of this case.
Section 56.10
(3) Section 56.10 prohibits disclosure of medical information except when the disclosure is permitted under the Confidentiality Act. Disclosure is not defined in the statute, but the context and ordinary meaning suggest that disclosure occurs when the health care provider affirmatively shares medical information with another person or entity. (Regents, supra, 220 Cal.App.4th at p. 564.) The statute contains a lengthy list of circumstances under which the health care provider must or may disclose medical information, circumstances which do not violate the nondisclosure duty. (See § 56.10, subds. (b) & (c).) Thus, disclosure, under section 56.10, subdivision (a) implies an affirmative communicative act.
Here, there is no dispute that the computer was stolen by, not given to, the unauthorized person. Sutter Health did not intend to disclose the medical information to the thief, so there was no affirmative communicative act by Sutter Health to the thief. As a result, section 56.10 does not apply to the facts of this case.
Section 56.101
(4) Unlike section 56.10, which prohibits disclosure of medical information except under specified circumstances, section 56.101 refers to the broader duties of the health care provider with respect to the confidentiality of the medical information. The language of section 56.101, subdivision (a) makes it clear that preserving the confidentiality of the medical information, not necessarily preventing others from gaining possession of the paper-based or electronic information itself, is the focus of the legislation. Therefore, if the confidentiality is not breached, the statute is not violated.
(5) The first sentence of subdivision (a) of section 56.101 provides: "Every provider of health care ... who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein." (§ 56.101, subd. (a), italics added.)
This sentence allows for change of possession as long as confidentiality is preserved. For example, the subdivision imposes on the health care provider the duty to maintain confidentiality in the manner in which the medical information is abandoned or disposed of. Therefore, it cannot be said that section 56.101 imposes liability if the health care provider simply loses possession of the medical records. Something more is necessary — that is, breach of confidentiality.
The California Supreme Court recognized this legislative intent to protect the confidentiality of medical information in a case dealing with the Confidentiality Act. (Brown, supra, 51 Cal.4th 1052.) Although Brown was a disclosure case, not a release case, the Supreme Court's recognition of the intended protection is still helpful. "The Confidentiality Act (... § 56 et seq.) `is intended to protect the confidentiality of individually identifiable medical information obtained from a patient by a health care provider....' [Citations.]" (Id. at p. 1070.) "`The basic scheme of the [Confidentiality Act], as amended in 1981, is that a provider of health care must not disclose medical information without a written authorization from the patient.' [Citation.]" (Ibid.) "It follows that `in order to violate the [Confidentiality Act], a provider of health care must make an unauthorized, unexcused disclosure of privileged medical information.' [Citation.]" (Id. at p. 1071.)
No breach of confidentiality takes place until an unauthorized person views the medical information. It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act. While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act. This is evident in section 56.101, subdivision (a), which allows, in effect, abandoning or disposing of medical records "in a manner that preserves the confidentiality of the information contained therein."
(6) Here, the plaintiffs argue that Sutter Health negligently stored the medical information and that the negligent storage resulted in a change of possession of the information to an unauthorized person. This change of possession increased the risk of a confidentiality breach. But the Confidentiality Act does not provide for liability for increasing the risk of a confidentiality breach. It provides for liability for failing to "preserve[] the confidentiality" of the medical records. (§ 56.101, subd. (a).) There is no allegation that Sutter Health's actions with respect to the records on the stolen computer did not preserve their confidentiality because there is no allegation that an unauthorized person has viewed the records. Without an actual breach of confidentiality, the loss of possession is not actionable under section 56.101.
(7) The legislation at issue is the "Confidentiality of Medical Information Act," not the "Possession of Medical Information Act." (§ 56.) While loss of possession may result in breach of confidentiality, loss of possession does not necessarily result in a breach of confidentiality. For that reason, a plaintiff must allege a breach of confidentiality, not just a loss of possession, to state a cause of action for nominal or actual damages under section 56.101. (Accord, Regents, supra, 220 Cal.App.4th at p. 570, which arrives at the same conclusion by a different analytical route.)
(8) The second sentence of section 56.101, subdivision (a) does not change this analysis. Although it does not repeat the language requiring the health care provider to preserve the confidentiality of the medical information, it makes the health care provider liable for negligence. "Any provider of health care ... who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." (§ 56.101, subd. (a), italics added.) An essential element of negligence is that the tortfeasor's breach caused the injury protected against. (Federico v. Superior Court (1997) 59 Cal.App.4th 1207, 1210-1211 [69 Cal.Rptr.2d 370].) The duty is to preserve confidentiality, and a breach of confidentiality is the injury protected against. Without an actual confidentiality breach there is no injury and therefore no negligence under section 56.101. That the records have changed possession even in an unauthorized manner does not mean they have been exposed to the view of an unauthorized person.
(9) Interpreting section 56.101 to provide $1,000 in damages to every person whose medical information came into the possession of an unauthorized person without that person viewing the information would lead to unintended results. For example, if a thief grabbed a computer containing medical information on four million patients, but the thief destroyed the electronic records to reformat and wipe clean the hard drive and sell the computer without ever viewing the information or even knowing it was on the hard drive, the health care provider would still be liable, at least potentially, for $4 billion. For all we know, that may have happened here. We cannot interpret a statute to require such an unintended result. (City of Cotati v. Cashman (2002) 29 Cal.4th 69, 77 [124 Cal.Rptr.2d 519, 52 P.3d 695] [statutes interpreted to avoid unintended results]; Regents, supra, 220 Cal.App.4th at p. 570.)
Section 56.36
The plaintiffs assert that section 56.36 provides a remedy for violation of section 56.101. Since we conclude that Sutter Health did not violate section 56.101, there is no occasion to look to section 56.36 for a remedy. In any event, section 56.36 provides remedies when a health care provider has "negligently released confidential information or records concerning [the plaintiff] in violation of this part...." (§ 56.36, subd. (b), italics added.) For the reasons given, there is no "negligent[] release[] ... in violation of [the Confidentiality Act]," if there is no actual breach of confidentiality. Because Sutter Health has not negligently released information or records in violation of the Confidentiality Act, there is no remedy.
(10) The nominal damages provision of section 56.36, subdivision (b)(1) does not change this analysis. It provides for $1,000 in nominal damages and adds: "In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages." (§ 56.36, subd. (b)(1).) No damages, not even nominal damages, are available unless the injury protected against is suffered. (Buttram v. Owens-Corning Fiberglas Corp. (1997) 16 Cal.4th 520, 535 [66 Cal.Rptr.2d 438, 941 P.2d 71].) Once an actual breach of confidentiality is established, the plaintiff in an action under the Confidentiality Act may be entitled to $1,000 in nominal damages without establishing any pecuniary loss or threat of pecuniary loss. But nominal damages are not available if the injury — the confidentiality breach — has not occurred.
Conclusion
Because the plaintiffs have not alleged an actual breach of confidentiality, the trial court should have sustained Sutter Health's demurrer. We also conclude that the demurrer must be sustained without leave to amend and the action must be dismissed because the plaintiffs have not demonstrated, either in the trial court or on appeal, that there is a reasonable possibility they can amend the complaint to allege an actual breach of confidentiality. (Regents, supra, 220 Cal.App.4th at p. 570, fn. 15; Schultz v. Harney (1994) 27 Cal.App.4th 1611, 1623 [33 Cal.Rptr.2d 276].)
DISPOSITION
The petition is granted. Let a peremptory writ of mandate issue directing the superior court to vacate its order overruling the petitioners' demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the real parties in interests' action. The stay imposed when we issued the alternative writ is vacated. The petitioners are awarded their costs in this writ proceeding. (Cal. Rules of Court, rule 8.936.)
Mauro, J., and Duarte, J., concurred.
