Two potential class action lawsuits filed against Sutter Health (updated)
It was only a matter of time, right? Darrell Smith reports:
Sutter Health is being sued for negligence and other allegations in the mid-October theft of a computer from Sutter Medical Foundation headquarters that held information on more than 4 million of its patients.
The class-action suit, filed Monday on behalf of plaintiff Karen Pardieck of Folsom in Sacramento Superior Court, alleges that the Sacramento-based health network was negligent in safeguarding its computers and data and then did not notify the millions of patients whose data went missing within the time required by state law. The suit seeks $1,000 for each member of the class and attorneys’ fees.
Read more on Sacramento Bee.
That was one of two lawsuits filed in the past two weeks. Another law firm issued a press release issued today by another law firm about a lawsuit they filed November 16 in Alameda County Superior Court on behalf of a different plaintiff.
Both lawsuits mention notification within the time required by state law, but I don’t see where the state law actually specifies an exact deadline for notifying. One part of the statute says “immediately” upon discovery, but another part allows the entity needed time to determine the scope of the breach. I’d be interested in reading that part of both lawsuits to see why they claim a one-month gap between discovery and notification violates California law.[The preceding post was corrected to add the correct links.]
Update: The complaint filed in Sacramento Superior Court (Pardieck v. Sutter Health) is online, here. The first cause of action is alleged violation of California’s Confidential of Medical Information Act. The second cause of action relates to timeliness of notification and cites California Code 1798.82. I had checked into that section when trying to figure out what the complaint might cite about timeliness of notification, and had noted the confusion within that section. You can read the code here. Yes, Sutter knew quickly that there was an incident, but how long did it take to figure out its scope in terms of how many patients were affected, which patients were affected, and what kinds of data were involved for each patient? I don’t think it’s reasonable to expect any entity to immediately provide individual notice to everyone if they don’t yet know whose data – or which data – are involved.