This post was also written by Joshua B. Marker.

A panel of the Court of Appeal limited the private right of action under the California Confidentiality of Medical Information Act, Civil Code § 56 et seq. (“CMIA”), holding that alleging negligent maintenance and loss of possession of confidential information is insufficient to state a cause of action.

In the putative class action, Regents of the University of California v. Superior Court, an encrypted hard drive containing confidential patient information was stolen in a home invasion robbery. The plaintiff alleged that the hospital had negligently maintained information in violation of the CMIA, but did not allege that there was any unauthorized access or viewing of her confidential information.

The court held that plaintiff had failed to state a claim, ruling that there is a private right of action for negligent maintenance, “only when such negligence results in unauthorized or wrongful access to the information.” As the plaintiff did not allege such unauthorized access, she could not state a claim.

Because of the availability of administrative penalties, violations of the CMIA carry potentially significant costs. This ruling is significant as it will possibly limit the exposure for “every provider of health care, health care service plan, pharmaceutical company, or contractor” who has lost confidential patient information, such as by having a laptop or hard drive accidentally lost or stolen.