Doe v. Sutherland Healthcare Sols.

A. DOE et al., Plaintiffs and Appellants, v. SUTHERLAND HEALTHCARE SOLUTIONS, INC. et al., Defendants and Respondents.

B297712

California Court of Appeals, Second District, Seventh Division

December 6, 2021

NOT TO BE PUBLISHED

APPEAL from a judgment of the Superior Court of Los Angeles County Nos. BC539436, BC539844, BC542556 Ann I. Jones, Judge. Reversed and remanded with directions.

Nelson & Fraenkel, Gretchen M. Nelson, Gabriel S. Barenfeld Kabateck, Brian Kabateck, Anastasia K. Mazzella; Genie Harrison Law Firm, Genie Harrison; Righetti Glugoski, Matthew Righetti; Law Offices of Kevin T. Barnes and Gregg Lander for Plaintiffs and Appellants.

Baker & Hostetler, Teresa C. Chow, Matthew C. Baisley, Paul Karlsgodt and Casie Collignon for Defendant and Respondent Sutherland Healthcare Solutions, Inc.

Jones Day, Daniel J. McLoon, David J. Feder; Office of the Los Angeles County Counsel, Brian T. Chu and Brandi M. Moore for Defendant and Respondent County of Los Angeles.

PERLUSS, P. J.

Following the theft of eight computers from an office of Sutherland Healthcare Solutions, Inc., a company that provides billing and payment processing services to hospitals including those operated by the County of Los Angeles, six affected individuals sued Sutherland and the County for violations of the Confidentiality of Medical Information Act (CMIA) (Civ Code, § 56 et seq.)^[1] and negligence in a putative class action lawsuit, alleging their confidential medical and personally identifiable information had been compromised. Their complaint sought statutory damages for the CMIA violation, as provided in sections 56.36, subdivision (b) and 56.101, subdivision (a), and, as actual damages for negligence, the value of the lost information and the cost of credit monitoring services and enhanced security measures undertaken by certain plaintiffs.

The trial court granted Sutherland and the County's motion for summary judgment, ruling as to the CMIA claim that plaintiffs' circumstantial evidence was insufficient to create a triable issue that the confidential nature of the plaintiffs' medical information had been breached by an unauthorized individual, as required by the Third District's decision in Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 1555 (Sutter Health) and this court's decision in Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, 570 (Regents), and as to the negligence cause of action that plaintiffs had not presented evidence they had suffered actual damages or that potentially cognizable damages had been caused by the theft of the computers. The court also ruled that plaintiffs had failed to properly allege the County had violated a mandatory duty imposed by statute and that the County was immune from liability for common law negligence.

We reverse the judgment, affirming the order of summary adjudication as to the CMIA cause of action but reversing as to the negligence claim. On remand plaintiffs may renew their motion for leave to amend the complaint, which was denied by the trial court while the summary judgment motion was pending.

FACTUAL AND PROCEDURAL BACKGROUND

1. The Theft of Sutherland Computers Containing Confidential Information

a. Sutherland's data handling practice

For Sutherland to perform its billing and payment processing services, the County electronically transmitted patient data to Sutherland, which stored the information on a secure shared drive. Sutherland employees who worked with the data emailed documents, including spreadsheets, containing the personal health and personally identifiable information of individuals treated at county facilities. The computers at Sutherland's Torrance office were configured to save a cache of all emails sent and received by the computer user. As a result, every hard drive had a file containing all emails and attachments sent and received at that computer. Some employees also stored documents on their computers' hard drive.

The network server at Sutherland's Torrance office was encrypted. Access to individual computers required a username and password, but information stored on those computers was not encrypted. Although the degree of difficulty was debated by the parties' experts, it was undisputed that it was feasible for someone with the proper skillset to access the data on the password-protected computers.

b. The burglary

In the evening of February 5, 2014 someone entered Sutherland's Torrance office and stole eight desktop computers. The stolen computers were among nearly 80 in the office and were spread throughout the 9, 000 square foot facility. Six of the stolen computers were used by higher-level employees. Several of the individuals whose computers were taken admitted at deposition that they kept their passwords in a folder on their hard drives and had downloaded patient medical records and personally identifiable information onto their hard drives.

The hard drives in the eight stolen desktop computers contained files that included medical information or personally identifiable information for more than 340, 000 patients at county health care facilities. Following the theft Sutherland sent notification letters to more than 300, 000 patients.^[2] Law enforcement (the Torrance Police Department, the Los Angeles Police Department, the FBI and the Secret Service) investigated the theft and identified several suspects, but no arrests were made or charges filed. The stolen computers have not been recovered.

2. The Lawsuits

The first class action lawsuit arising from the February 5, 2014 burglary was filed against Sutherland in March 2014. On September 25, 2014 three lawsuits were consolidated, and, pursuant to stipulation, on October 31, 2014 a consolidated amended class action complaint was filed by Mario Cazarin, John Galliano, Tanikka Harasim, Oswald Robinson, Tu Kamon and Damon English against Sutherland and the County, asserting causes of action for violation of CMIA, negligence and violations of section 1798.81.5, failure to provide reasonable security procedures and practices with respect to California residents' personal information, and section 1798.82, failure to provide notice regarding a breach of security regarding California residents' personal information. Each of the six plaintiffs had received Sutherland's notice of the computer thefts.

Following a partially successful demurrer, plaintiffs on May 11, 2015 filed the operative consolidated second amended class action complaint, alleging causes of action for violation of CMIA and negligence against both Sutherland and the County and violation of section 1798.82 against Sutherland. Plaintiffs sought actual damages and/or statutory damages for violation of CMIA and actual damages for the failure to protect their medical and personally identifiable information in the other two causes of action.

After another pleading challenge, the court sustained the demurrer to the cause of action under section 1798.82 with leave to amend and overruled the demurrer to the CMIA and negligence claims.^[3] Plaintiffs did not amend further, and the section 1798.82 cause of action is not at issue in this appeal. Sutherland and the County answered the complaint on October 28, 2015.

3. The Motion for Leave To Amend

In September 2017, approximately five months after Sutherland and the County moved for summary judgment, plaintiffs sought leave to amend their complaint to add claims against Sutherland for breach of contract (as third party beneficiaries) and for violation of the unfair competition law (UCL) (Bus. & Prof Code, § 17200 et seq.). In support of their request plaintiffs argued the new causes of action related to the same general facts alleged in the operative complaint but added allegations based on evidence obtained from documents recently produced by the County and Sutherland, specifically the contracts between the County and Sutherland and documents "evidencing the County's promises to Plaintiffs and Class members related to the confidentiality of collected patient information which, in large part, form the basis for the additional causes of action against Sutherland in the Proposed Third Amended Complaint."

Sutherland and the County opposed the motion, arguing plaintiffs had unreasonably delayed in seeking leave to amend, they would be severely prejudiced if amendment were allowed, and the proposed amendments were futile. The trial court denied the motion in a three-page ruling on October 4, 2017, finding the additional discovery plaintiffs stated had alerted them to the existence of their new claims "was substantially available-either as part of the public record or as part of the documents produced to plaintiffs in 2015-over a year and a half ago."

The court ruled delay without a valid showing of excuse was a significant factor in considering a motion for leave to amend and could be a sufficient reason without more to deny the motion. In addition, the court found amendment at that point in the case would significantly prejudice defendants. The court pointed out that a motion for summary judgment had been filed by defendants and significant discovery had taken place, including "a considerable amount of discovery [by plaintiffs] in order to oppose that motion." Permitting the amendment would likely lead to another demurrer and then a new motion for summary judgment, preceded by additional discovery. "Such a delay is not only unjustified but would reopen much of the concluded discovery and significantly impair the case management plan that has been structured by this court for over two years. While there is no trial date set, the potentially dispositive motions are set for early next year. Additional causes of action would preclude ...