Take the prudent and responsible path

I had a surprise when I called the Sacramento County Clerk's office last week for a copy of the complaint in Pardieck v. Sutter Health, a class-action, medical data breach suit.

Sutter had a desktop computer stolen from an office in mid-October. The computer held personally identifiable information on about 4.3 million people. About a month later, Sutter mailed breach notification letters to 943,000 of its own patients, whose records included diagnoses and procedures.

"Oh, yeah, I got one of those letters," said the clerk's office employee who answered the phone.

This encounter reminded me there are real people behind the fantastic numbers being posted in these all-too-frequent medical records breaches. The employee promptly provided me the lawsuit's case number and told me how to retrieve the document. The suit was filed Nov. 21.

The $943 million question in this case—since Sutter is being sued for $1,000 per breached patient record—is simply this: Is it negligent for a provider not to encrypt patient-identifiable medical data, even data at rest?

So far, the answer has been, no, according to Deven McGraw, a lawyer who heads the Health Privacy Project at the Center for Democracy and Technology.

"I am unaware of cases where failure to encrypt has been determined to be negligent, (especially) since the law does not strictly require encryption," McGraw said.

Pardieck's lawyer, Robert Buccola, argues otherwise. His complaint alleges that "(a)mong other things, Sutter is and was negligent by failing to store its patients' medical information in an encrypted form."

According to Michael "Mac" McMillan, CEO of CynergisTek, a security firm that works extensively in the healthcare industry, this case could be a watershed for encryption. If the decision goes to the plaintiff, "It will create an enormous precedence as a standard of care," McMillan said. "No doubt about it."

McMillan said there's ample evidence of a national problem, now that the government's own burgeoning wall of shame" database" lists 372 sizable breaches, none of which would have been there had the culprits simply encrypted their data.

"You could easily come to the conclusion that encryption is a prudent and responsible step," McMillan said. "I said this same thing to a group the other day. At one point, these lawyers are going to smarten up, stop trying to prove harm, which is damn near impossible to do, and go after the negligence angle and say, 'Have you been responsible in protecting the data?' and attacking that instead."

He added, "It's much easier to prove negligence, based on an infraction of a rule, or a standard of care that's generally accepted, than it is to prove harm."

The fact that Sutter is saying it was a desktop that was stolen "doesn’t alter the fact that they had protected health information stored locally," McMillan said. "It was stored on a device that was pilfer-able. I have these discussions all the time with hospitals. They encrypt their laptops but allow people to put anything they want on desktops."

Follow Joseph Conn on Twitter: @MHJConn.