Summary
rejecting plaintiff's theory of vicarious liability under the CFAA and noting that the statute creates only a "limited private right of action against the violator"
Summary of this case from Jagex Limited v. Impulse SoftwareOpinion
CV-00-100-M
July 19, 2001
O R D E R
Jane Doe brings this civil suit for compensatory damages based on alleged violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 (2000), and she asserts several state common law and statutory causes of action as well. Defendants move for summary judgment on all counts.
Standard of Review
Summary judgment is appropriate when the record reveals "no genuine issue as to any material fact and . . . the moving party is entitled to a judgment as a matter of law." Fed.R.Civ.P. 56(c). When ruling upon a party's motion for summary judgment, the court must "view the entire record in the light most hospitable to the party opposing summary judgment, indulging all reasonable inferences in that party's favor." Griggs-Ryan v. Smith, 904 F.2d 112, 115 (1st Cir. 1990).
The moving party "bears the initial responsibility of informing the district court of the basis for its motion, and identifying those portions of [the record] which it believes demonstrate the absence of a genuine issue of material fact." Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). If the moving party carries its burden, the burden shifts to the nonmoving party to demonstrate, with regard to each issue on which it has the burden of proof, that a trier of fact could reasonably find in its favor. See DeNovellis v. Shalala, 124 F.3d 298, 306 (1st Cir. 1997).
At this stage, the nonmoving party "may not rest upon mere allegation or denials of [the movant's] pleading, but must set forth specific facts showing that there is a genuine issue" of material fact as to each issue upon which he or she would bear the ultimate burden of proof at trial. Id. (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 256 (1986)). In this context, "a fact is `material' if it potentially affects the outcome of the suit and a dispute over it is `genuine' if the parties' positions on the issue are supported by conflicting evidence." Intern'l Ass'n of Machinists and Aerospace Workers v. Winship Green Nursing Center, 103 F.3d 196, 199-200 (1st Cir. 1996) (citations omitted).
The Parties
The Defendants
Dartmouth-Hitchcock Medical Center ("DHMC") operates the Mary Hitchcock Memorial Hospital ("MHMH"), a teaching hospital in Lebanon, New Hampshire.
The Trustees of Dartmouth College operate, among other entities, the Dartmouth Medical School ("DMS") and Dartmouth-Hitchcock Psychiatric Associates ("DHPA").
The Hitchcock Clinic, Inc. ("Clinic"), a New Hampshire corporation, operates a practice group employing physicians in diverse specialties, most of whom perform services at DHMC.
In order to coordinate patient care, DHMC, MHMH, DMS, DHPA, and the Clinic (collectively the "Dartmouth defendants") maintain a single, integrated computer system to store, manage, and share medical records.
Jane Doe
Plaintiff, Jane Doe, has suffered from one or more mental disorders over the years, and has been a regular participant in psychiatric therapy since the early 1980s. During the 1990s, Doe was a psychiatric patient of DHMC, and obtained general medical services from DHMC as well. Her medical records were kept on Dartmouth's integrated computer system.
Factual Background
Between 1994 and 1998, Barbara Lohn, M.D., was employed by MHMH as a resident in psychiatry, and later as a geriatric psychiatry Fellow. Her positions with MHMH were, in part, related to her medical education, which DMS was responsible for overseeing (including the educational component of Dr. Lohn's employment).
Dr. Loan was originally named as a defendant in this lawsuit. She was dismissed by stipulation on February 6, 2001 (document no. 32).
As an employee of MHMH, Dr. Lohn was authorized to access the integrated computer system to review her patients' medical records and any other records related to her employment or medical education. She was provided a software program to install on her personal computer so she could conveniently access the system from home. The DHMC Graduate Medical Training Manual describes policies governing the confidentiality of patient records, which generally prohibit interns and Fellows, like Dr. Lohn, from accessing patient records absent a "professional `need to know.'" Defendants' Motion for Summary Judgment, Ex. C at 39 (document no. 34).
In 1995, Dr. Lohn became socially acquainted with the plaintiff, Doe, through an unrelated women's group. Although they never established a professional medical relationship, Dr. Lohn was aware of Doe's status as a patient of the Dartmouth defendants. At some point in early 1998, the personal relationship between Dr. Lohn and Doe began to deteriorate. In June of that year, Dr. Lohn apparently began to remotely access and read Doe's medical records from home, without Doe's knowledge and without any employment or educational justification. That access by Lohn was plainly "unauthorized" (or, at a minimum, "exceeded her authorization") since Doe was not Lohn's patient and Lohn had no professional or educational need to review Doe's medical records. Dr. Lohn explained that she accessed Doe's records to satisfy an entirely personal desire to understand Doe's recent behavior toward her. See Plaintiff's Opposition to Summary Judgment, Ex. 1, Affidavit of Barbara Lohn (document no. 35). At no time did Dr. Lohn alter or destroy any of Doe's medical records.
In June of 1998, Doe contacted DHMC to report her suspicion that her medical records had been improperly accessed. An initial audit by DHMC revealed nothing unusual. On September 18, 1998, Doe again called DHMC to voice her concern that her medical records were being reviewed inappropriately. Another audit was performed, and this time it revealed that Dr. Lohn had accessed Doe's medical records during July, August, and the first part of September, with no apparent justification.
After learning that Dr. Lohn had inappropriately reviewed her medical records, Doe felt compromised and uncomfortable continuing as defendants' patient. She began treatment with a new psychiatrist and allegedly suffered set-backs in her therapy. Additionally, because she suspects Dr. Lohn may have disclosed confidential information from her medical records to other members of the women's group, Doe says she has become reclusive, and suffers from stress which causes her to grind her teeth.
Discussion
Because judgment on Count I, in which Doe asserts a cause of action based upon Dr. Lohn's apparent violation of the Computer Fraud and Abuse Act ("CFAA" or "Act"), is the only federal claim, and judgment on that count would resolve all federal issues, that count will be addressed first.
The Statutory Framework
Title 18, section 1030, entitled "Fraud and related activity in connection with computers," is commonly known as the Computer Fraud and Abuse Act. Although originally enacted as a criminal statute designed to combat an increase in computer crimes, provisions creating a private civil cause of action were added in 1994. See 18 U.S.C. § 1030(g). The private cause of action is designed to supplement the criminal sanctions set out in section 1030(c), and provides that:
[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in subsection (e)(8)(A) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.18 U.S.C. § 1030(g).
Claiming she suffered "damages" recoverable under the CFAA, Doe alleges that the Dartmouth defendants, through Dr. Lohn, violated sections "1030(a)(2), 1030(a)(5), and/or other subsections of Section 1030(a)," Complaint, Count I, ¶ 31, because her confidential medical records were accessed by someone without authorization (or who exceeded authorized access). It appears that subsections 1030(a)(2) and (5) are the only provisions arguably relevant to this case. Subsections 1030(a)(1), (3), (4), (6), and(7) are inapplicable because they relate to classified government information, government computers, and/or require an intent to defraud or extort, none of which has been alleged in the complaint. Section 1030(a)(2) makes it unlawful to:
intentionally access a computer without authorization or exceed authorized access, and thereby obtain —
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency, as such terms are defined in the Fair Credit Reporting Act
. . .; or
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication[.]18 U.S.C. § 1030(a)(2). Section 1030(a)(5) applies to anyone who
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.18 U.S.C. § 1030(a)(5). The CFAA defines "damage" as any impairment to the integrity or availability of data, a program, a system, or information, that —
(A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;
(B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;
(C) causes physical injury to any person; or
(D) threatens public health or safety[.]
18 U.S.C. § 1030(e)(8) (emphasis supplied).
Application to Doe's Claims
To establish the elements of a private cause of action under the CFAA, Doe must show that she has suffered "damage" (as defined by the statute) or "loss." It is doubtful that she can do either.
The statutory definition of "damage" is somewhat ambiguous, because it is not clear what is meant by the phrase "impairment to the integrity . . . of information." Doe suggests the phrase should be construed to cover Dr. Lohn's unauthorized reading of her confidential medical records. In other words, Doe says that an unauthorized reading of confidential medical records operates to "impair the integrity" of those records. Defendants counter that the phrase "impairment to the integrity . . . of information" means some disruption of the functioning, security, or reliability of computer systems, programs, data, or information.
Whether the CFAA's civil action provisions cover a physician's unauthorized review of computerized medical records is a somewhat novel question that does not appear to have been addressed by any court. While pertinent legislative history shows that the "premise of . . . subsection [1030(a)(2)] is privacy protection," see S. Rep. No 104-357, pt. IV(B) (1996) (quoting S. Rep. No. 99-434 (1986)), and Congress accordingly created criminal penalties for using a computer to invade privacy, see 18 U.S.C. § 1030(a)(2), (c), it is far less apparent that Congress intended to also provide a federal civil remedy for what is essentially a state common law tort — invasion of privacy.
In any event, the point is not dispositive in this case. Under subsection 1030(g) of the Act Doe can only "maintain a civil action against the violator . . . ." See 18 U.S.C. § 1030(g) (emphasis supplied). Dr. Lohn was clearly the "violator;" it was she who accessed Doe's computerized medical records without authority. Nothing presented by plaintiff suggests that the Dartmouth defendants violated the CFAA in any respect. They not only did not access Doe's medical records without authority, but in fact were victimized by Lohn's breach of the policies established to protect Doe's confidentiality. The only way Doe could maintain a civil action against the Dartmouth defendants under the CFAA would be on a theory of vicarious liability or agency.
Doe argues that the Dartmouth defendants could be held vicariously liable for Lohn's invasion of her privacy under New Hampshire law. But that argument is not very helpful, because whether a federal statute "embraces such principles [of vicarious liability] is a matter of statutory interpretation based upon congressional intent." Atlantic Financial Management, Inc., 784 F.2d 29, 31 (1st Cir. 1986) (emphasis added). "[T]he courts have tended to read congressional statutes that impose tort-like liability to embrace at least some of these well established common law agency principles, where language permits and doing so furthers basic statutory purposes." Id. In this case, imposing vicarious liability on the Dartmouth defendants in this case would neither be permitted by the language of the CFAA itself, nor would it further the basic purpose of the Act.
First, the CFAA is essentially a criminal statute. It creates only a limited private right of action "against the violator," that is, against a person who violates the statute with the requisite criminal intent. See 18 U.S.C. § 1030(g) (emphasis added). Expanding the private cause of action created by Congress to include one for vicarious liability against persons who did not act with criminal intent and cannot be said to have violated the statute, like the Dartmouth defendants, would be entirely inconsistent with the plain language of the statute.
Second, the CFAA's unequivocal purpose is to deter and punish those who intentionally access computer files and systems without authority and cause harm. See S. Rep. No. 104-357, pts. II, III. The civil cause of action was later added to the CFAA to enhance its deterrent effect and provide a means by which victims of computer crimes might obtain compensation, to the extent they suffer defined damages or loss. See S. Rep. No. 101-544, pt. III. The CFAA's prohibitions related to access in excess of one's authority, see, e.g., 18 U.S.C. § 1030(a)(2)(c), (5)(b), were presumably intended to place those who maintain computer systems (and who extend only limited access to some people, such as the Dartmouth defendants) within the class of protected persons.
In this case, Dr. Lohn was granted only limited access to Dartmouth's computerized patient records. The Dartmouth defendants imposed the limitation — and they imposed the limitation for the very purpose of protecting patient confidentiality. Dr. Lohn violated the CFAA only because she exceeded the limitations placed on her access by the Dartmouth defendants themselves. To hold the Dartmouth defendants vicariously liable for Lohn's intentional violation of the CFAA, when that violation necessarily involved included an intentional violation of the defendants' own policies — and actually victimized the Dartmouth defendants, would hardly be consistent with, or further the purpose of, the CFAA, which, after all, is intended to protect computer systems like Dartmouth's from unauthorized access and concomitant damage. See 18 U.S.C. § 1030(a)(2)(C).
Parenthetically, assuming Dr. Lohn's unauthorized reading of Doe's medical records resulted in an "impairment to the integrity of the data, . . . or information that . . . modifie[d] or impair[ed], or potentially modifie[d] or impair[ed] the medical . . . treatment, or care of one or more individuals," the Dartmouth defendants would also have a civil claim against Dr. Lohn under the CFAA. See 18 U.S.C. § 1030(a)(5)(b), (e)(8), (g). Holding the Dartmouth defendants vicariously liable to Doe for Dr. Lohn's intentional CFAA violation would turn the protective statute — meant to protect Dartmouth's computer systems — on its head. Cf. Dakis v. Chapman, 574 F. Supp. 757, 760 (N.D.Cal. 1983) (declining to find vicarious liability under the Racketeer and Influenced and Corrupt Organizations Act where "it would be an anomalous result indeed if, because [the employee] had misused his authority to trade the accounts, and had actually violated internal guidelines of the firms by doing so, the firms were nonetheless deemed `aggressor' enterprises liable under RICO").
It is not necessary to determine, therefore, whether Dr. Lohn's activity did or did not fall within the scope of her employment for respondeat superior purposes under New Hampshire law. Nor is it necessary to decide whether Doe's claimed injuries qualify as "damage" or "loss" as defined by the CFAA. On the undisputed facts of this case, neither the language nor the purpose of the CFAA are consistent with holding the Dartmouth defendants vicariously liable for Dr. Lohn's intentional violation of the Act. See In re Atlantic Financial Management, Inc., 784 F.2d at 31. The Dartmouth defendants may or may not be vicariously liable for Lohn's invasion of Doe's privacy, or some related tort, under applicable state law — that is a matter for the state courts — but they are not liable to Doe for Dr. Lohn's intentional criminal violations of the CFAA, and they, of course, have not violated the CFAA themselves.
Conclusion
Because Doe cannot maintain a private cause of action under the CFAA against the Dartmouth defendants based on Dr. Lohn's conduct, defendants' motion for summary judgment (document no. 34) is granted as to Count I.
Having disposed of Doe's only federal claim, the court declines to exercise supplemental jurisdiction over the remaining state law claims. See generally, Camelio v. American Federation, 137 F.3d 666 (1st Cir. 1998). Accordingly, those claims are dismissed without prejudice and may be filed in a state court of competent jurisdiction.
The Clerk shall enter judgment in accordance with the terms of this order and close the case.
SO ORDERED.