2017-00221961-CL-MC

Louis Merrick, CDCR#P11802 vs. Yulanda Mynheir

Nature of Proceeding: Hearing on Demurrer

Filed By: Bragg, R. Lawrence

This matter was set for oral argument on this date, on March 20, 2018.

Defendants Mynhier and Tharrat’s Demurrer to the Complaint is sustained with leave to amend for failure to state facts sufficient to constitute a cause of action.

On March 15 the Court received a request from plaintiffs to reschedule the February

27 demurrer to March 20. The Court had already continued the demurrer to March 20 to allow the filing of a Reply to the late opposition.

Plaintiff Merrick is the only plaintiff who has paid a filing fee. The recent fee waiver submitted by plaintiffs Milton and Garner were rejected on March 19, 2018.

Plaintiffs Merrick, Milton and Garner are state prisoners who are suing defendants Yulanda Mynhier and Tharratt over an incident in which a laptop was stolen by an unidentified party that may have contained their confidential medical information.

Defendant Mynhier was the Director of Healthcare Policy and Administration employed by the California Correctional Health Care Services (CCHSC) and Defendant Tharratt was the Director of Health Care Operations for CCHCS. This is but one of a series of cases encountered by the Court on similar facts. Plaintiffs raise claims under the Confidentiality of Medical Information Act (Civ. Code, § 56 et seq.), for breach of fiduciary duty, and in negligence.

In May 2016 CCHCS sent out a “Data Breach Notification” to inmates including Plaintiffs, informing them of a potential breach of their personal information when an unencrypted laptop was stolen from the personal vehicle of an employee of CCHCS. Plaintiffs allege that their personal information was viewed by an unauthorized employee of CCHCS who was in possession of the laptop when it was stolen and that this constitutes general negligence and violates California’s Confidentiality of Medical Information Act, Government Code §19572 and California Code of Regulations Title 15, §§3424, 3402(b), 3413, and 3316(c)

None of the plaintiffs allege any damages arising out of the alleged breach of their personal information.

Defendants have established that they are immune from suit for injuries caused by another individual’s actions. Moreover, plaintiffs have not alleged facts sufficient to state a negligence claim or for violation of the Confidentiality of Medical Information Act. Finally, defendants contend that Government Code 19572 and the Code of California Regulations title 15 do not provide for a private right of action.

Immunity

Under the California Government Claims Act, a public employee can only be liable for an act or omission that he or she commits; there is no individual liability for actions or omissions taken by third parties, including co-workers. (Govt. Code § 820.8; see Weaver v. State of California (1998) 63 Cal.App.4th 188, 202.)

The operative complaint is devoid of any allegations that Tharratt and Mynhier personally committed the alleged acts, either as far as misplacing the laptop, or in any other role that allegedly resulted in the purported compromise of Plaintiffs’ personal medical information. Likewise, there are no facts alleged that Tharratt or Mynhier was ever in possession or control of Plaintiff’s personal information in any that would extend liability or responsibility to him for any legal violation pertaining to an unauthorized release of Plaintiff’s medical information. Therefore, under Gov. Code 820.8, Mynhier and Tharratt are immune from liability resulting from other CCHCS employees who allegedly failed to expunge the laptop. (Weaver, supra, at 202.

Negligence

Plaintiffs Complaint fails to allege that personal information was actually contained on the laptop when it was stolen. The exhibits to the complaint demonstrate that it is unknown whether plaintiffs’ personal information was on the laptop. (Complaint Ex. A2 and B2. Facts “appearing in exhibits attached to the Complaint will be accepted as true and , if contrary to the allegations in the complaint, will be given precedence. Dodd v Citizens Bank of Costa Mesa(1990) 222 Cal.App.3d at 1624, 1627. Therefore plaintiffs have not alleges whether there was any breach of duty.

Moreover, a general negligence cause of action requires a plaintiff to allege that a defendant: (1) owed plaintiff a legal duty; (2) breached that duty; and (3) the breach proximately caused injury. (Mintz v Blue Cross of California(2009) 172 CaI.App.4th 1594, 1609.) Plaintiffs allege defendants refused to provide plaintiffs with the true names of the workforce member in which the unencrypted laptop was placed fails to state a negligence claim. Plaintiffs do not cite any case law or statutory authority supporting the imposition of a legal duty under these circumstances. Additionally, the exhibits attached to the complaint do not indicate that Tharratt or Mynhier denied plaintiffs’ requests for information; rather, the exhibits denying the request were signed

by an unidentified “Health Care Representative.” (Complaint, Ex. A8.)

Confidentiality Act

In addition, Plaintiffs fail to allege any facts showing an actual unauthorized access occurred of hisconfidential information under the Confidentiality Act, which protects the confidentiality of patients’ medical information.Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 1550 .) The Act provides for an award of $1,000 in nominal damages if a health care provider negligently releases medical information or records in violation of the Confidentiality Act. (Civ. Code, § 56.36, subd. (b)(1).) Any healthcare provider who “negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information” shall be subject to the penalties of section 56.36. (Civ. Code, § 56.101, subd. (a).) Liability only exists under § 56.36 where it is alleged that an unauthorized person viewed the confidential records. Sutter Health v Superior Court (2014) 227 Cal.App.4th 1546, 1558 .)

No allegation has been made that plaintiff’s confidential medical information has actually been viewed or accessed after the theft of the laptop by moving defendants, or any third party for that matter. Nor is there an allegation

that there was a “release”; there is an allegation that the computer was stolen and that plaintiff’s medical information might have been on the drive. Again, the notice from the CCHCS indicated that Plaintiffs’ information might have been on the laptop.

No private right of action

Government Code section 19572 pertains to grounds to discipline state employees. There is no language demonstrating that the legislature intended to create a private right of action for violation of this statute. Whether a party has a private right of action depends on whether the legislature has manifested an intent to create such a cause of action by the language of the statute. Luv Hawaiian Gardens Casino. Inc. (2010) 50 Cal.4th 592, 596.

Similarly, no such private right of action arises from an administrative regulation absent a statute enacted by the legislature.Thurman v Bayshore Transit Management, Inc. (2021) 203 Cal.App.4th 1112, 1132. No such statute exists with regard to prison regulations contained in CCR Title 15.

Government Claim Requirement

Plaintiff Garner failed to comply with the California Government Claims Act because he did not file a government claim within 6 months of being notified of the alleged data breach. (Complaint Ex. B14) The Claims Act requires timely filing of a proper claim as a condition precedent to maintenance of an action. Gov Code section 905, 9.11.2, 945.4.

Plaintiff Merrick has alleged no facts in his opposition to support the argument that defendants are not immune from suit. However, since this is the first challenge to the pleadings, plaintiffs are given leave to amend. In the event that plaintiffs Milton and Garner’s fee waivers are granted, the First Amended Complaint may be filed on behalf of all plaintiffs.

Plaintiffs may file and serve an Amended Complaint on or before April 20, 2018. Response to be filed and served within 20 days of the receipt of the amended pleading.