A Californian appellate court has just announced the lower court’s decision to reject class-action status for a legal action filed against a healthcare provider in California because of an insider data breach that impacted 5,485 individuals.
In May 2018, Muir Medical Group IPA found out that a former employee accessed its patient records and copied patient files before leaving work. The employee brought the stolen patient records to her new company. The investigation revealed that the breach happened in December 2017 and impacted patients who got treatment from November 2013 to February 2017. The data stolen by the employee contained names, contact details, treatment data, and other sensitive information.
After the breach, a lawsuit – Vigil v. Muir Medical Group IPA, Inc. – was filed that claimed negligence and breach of the Customer Records Act, the Confidentiality of Medical Information Act (CMIA), and illegal business practices included in the Unfair Competition Law. The lawsuit additionally claimed a breach of the Security Management Process standard of HIPAA, since the employee shouldn’t have accessed the information of a lot of the patients.
The trial court rejected the class action status for the lawsuit because the plaintiff’s claims were considered to be lacking. The court decided the patient’s allegations depending on the supposed CMIA violation. The trial court observed that the lawsuit did not meet the predominance of popular questions requirement. Under CMIA, individualized inquiries is required to show the liability of the defendant and the damages to every affected patient. Liability is dependent on whether every one of the class members’ records was in fact accessed which, according to the facts, cannot show resolution in the aggregate.
The decision of the trial court was appealed, however, the appellate court took the defendant’s side, affirming that class action status cannot be approved as the plaintiff could not prove unauthorized third-party access to the files of every class member. Since this was considered a private matter, class certification wasn’t proper. The appellate court additionally decided the plaintiff did not have a sensible claim based on CMIA because of its failure to show the healthcare company had negligently kept or saved patient data, then lost that data because of its negligence.