CA court rules hospitals not strictly liable for employee privacy breaches

In September 2025, the California Court of Appeals, Third Appellate District, issued a judgment clarifying California law's standard for medical information breach notifications.

What happened 

The case involved a November 2016 incident at a California neuropsychiatric hospital, where an employee photographed a patient’s medical information with a personal phone and posted it on Instagram. On appeal, CDPH argued for strict liability, while the hospital argued it had met security safeguard requirements. Judges Jonathan Ishee and Michael Paluzzi, writing for Goodwin, summarized that the appellate court rejected strict liability and instead applied a reasonableness standard, finding that providers should not be penalized for inadvertent employee misconduct when appropriate safeguards are in place.

What was said 

According to the court transcripts, “The ‘shall prevent’ language does suggest, at least as a starting point, that a health facility is required to prevent unauthorized access, use, and disclosure of patients’ medical information. Courts generally interpret the word “shall” as giving rise to a mandatory duty, although, despite that presumption, a court interpreting a statute must still determine the legislative intent behind the enactment. (See California Correctional Peace Officers Assn. v. State Personnel Bd. (1995) 10 Cal.4th 1133, 1143 [there is a “presumption that the word ‘shall’ in a statute is ordinarily deemed mandatory, and ‘may’ permissive,” but, “[n]onetheless, in construing the statute, the court must ascertain the legislative intent”].)”

The backstory

The case dates back to November 2016, when an employee at a California neuropsychiatric hospital used their personal cell phone to take a photograph of a patient’s medical information. Believing the image had been redacted, the employee then posted it on Instagram. However, the redaction was incomplete, and personal details of 10 patients were still visible in the photo. 

This social media disclosure prompted an investigation by the CDPH, which determined that the hospital had failed to prevent unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information under California’s medical information breach notification law. 

As a result, CDPH imposed a $75,000 penalty against the hospital, despite the fact that the employee had previously undergone HIPAA training, signed a confidentiality agreement, and acted in direct violation of internal policy. The hospital responded by terminating the employee, issuing a system-wide reminder to staff about confidentiality obligations, and notifying all affected patients.

What happens next

The appellate court’s decision imports a reasonableness standard into California’s medical information breach notification law, meaning regulators must prove that the provider failed to maintain proper administrative, technical, or physical safeguards before penalties can be imposed. For healthcare organizations, this offers reassurance that compliance with HIPAA-like safeguards, such as employee training, confidentiality agreements, and security protocols, can shield them from liability in cases of inadvertent disclosures.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Why are insider threats so serious?

Because insiders already have authorized access to systems and data, their actions can bypass many security safeguards. Even accidental actions, like posting redacted information that still reveals patient data, can cause major breaches.

Are organizations always liable for insider threats?

No. As clarified in the California appellate case (September 2025), organizations that maintain appropriate and reasonable safeguards may not be held strictly liable for inadvertent employee misconduct. 

What happens if an insider threat comes from organizational failures?

If the breach results from poor security safeguards, such as weak access controls or lack of monitoring, regulators can still impose penalties because the organization itself failed to comply with required standards.