Doe v. Dartmouth-Hitchcock

2001 DNH 132

• Court: District Court, D. New Hampshire
• Decided: July 19, 2001
• Docket: CV-00-100-M
• Status: Published

Opinion

Doe v. Dartmouth-Hitchcock CV-00-100-M 07/19/01 UNITED STATES DISTRICT COURT

DISTRICT OF NEW HAMPSHIRE

Jane Doe(pseudonym), Plaintiff

v. Civil No. 0 0-100-M Opinion No. 2001 DNH 132 Dartmouth-Hitchcock Medical Center, Trustees of Dartmouth College, and the Hitchcock Clinic, Inc., Defendants

O R D E R

Jane Doe brings this civil suit for compensatory damages

based on alleged violations of the Computer Fraud and Abuse Act

("CFAA"), 18 U.S.C. § 1030 (2000), and she asserts several state

common law and statutory causes of action as well. Defendants

move for summary judgment on all counts.

Standard of Review

Summary judgment is appropriate when the record reveals "no

genuine issue as to any material fact and . . . the moving party

is entitled to a judgment as a matter of law." Fed. R. Civ. P.

56(c) . When ruling upon a party's motion for summary judgment,

the court must "view the entire record in the light most hospitable to the party opposing summary judgment, indulging all

reasonable inferences in that party's favor." Griqqs-Rvan v.

Smith. 904 F.2d 112, 115 (1st Cir. 1990).

The moving party "bears the initial responsibility of

informing the district court of the basis for its motion, and

identifying those portions of [the record] which it believes

demonstrate the absence of a genuine issue of material fact."

Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). If the

moving party carries its burden, the burden shifts to the

nonmoving party to demonstrate, with regard to each issue on

which it has the burden of proof, that a trier of fact could

reasonably find in its favor. See DeNovellis v. Shalala, 124

F .3d 298, 306 (1st Cir. 1997).

At this stage, the nonmoving party "may not rest upon mere

allegation or denials of [the movant's] pleading, but must set

forth specific facts showing that there is a genuine issue" of

material fact as to each issue upon which he or she would bear

the ultimate burden of proof at trial. I d . (quoting Anderson v.

Liberty Lobby, Inc., 477 U.S. 242, 256 (1986)). In this context,

"a fact is 'material' if it potentially affects the outcome of

the suit and a dispute over it is 'genuine' if the parties'

2 positions on the issue are supported by conflicting evidence."

Intern'1 Ass'n of Machinists and Aerospace Workers v. Winship

Green Nursing Center, 103 F.3d 196, 199-200 (1st Cir. 1996)

(citations omitted).

The Parties

The Defendants

Dartmouth-Hitchcock Medical Center ("DHMC") operates the

Mary Hitchcock Memorial Hospital ("MHMH"), a teaching hospital in

Lebanon, New Hampshire.

The Trustees of Dartmouth College operate, among other

entities, the Dartmouth Medical School ("DMS") and Dartmouth-

Hitchcock Psychiatric Associates ("DHPA").

The Hitchcock Clinic, Inc. ("Clinic"), a New Hampshire

corporation, operates a practice group employing physicians in

diverse specialties, most of whom perform services at DHMC.

In order to coordinate patient care, DHMC, MHMH, DMS, DHPA,

and the Clinic (collectively the "Dartmouth defendants") maintain

a single, integrated computer system to store, manage, and share

medical records.

3 Jane Doe

Plaintiff, Jane Doe, has suffered from one or more mental

disorders over the years, and has been a regular participant in

psychiatric therapy since the early 1980s. During the 1990s, Doe

was a psychiatric patient of DHMC, and obtained general medical

services from DHMC as well. Her medical records were kept on

Dartmouth's integrated computer system.

Factual Background

Between 1994 and 1998, Barbara Lohn, M.D.,1 was employed by

MHMH as a resident in psychiatry, and later as a geriatric

psychiatry Fellow. Her positions with MHMH were, in part,

related to her medical education, which DMS was responsible for

overseeing (including the educational component of Dr. Lohn's

employment).

As an employee of MHMH, Dr. Lohn was authorized to access

the integrated computer system to review her patients' medical

records and any other records related to her employment or

1Dr. Loan was originally named as a defendant in this lawsuit. She was dismissed by stipulation on February 6, 2001 (document no. 32).

4 medical education. She was provided a software program to

install on her personal computer so she could conveniently access

the system from home. The DHMC Graduate Medical Training Manual

describes policies governing the confidentiality of patient

records, which generally prohibit interns and Fellows, like Dr.

Lohn, from accessing patient records absent a "professional 'need

to know.'" Defendants' Motion for Summary Judgment, Ex. C at 39

(document no. 34).

In 1995, Dr. Lohn became socially acquainted with the

plaintiff. Doe, through an unrelated women's group. Although

they never established a professional medical relationship. Dr.

Lohn was aware of Doe's status as a patient of the Dartmouth

defendants. At some point in early 1998, the personal

relationship between Dr. Lohn and Doe began to deteriorate. In

June of that year. Dr. Lohn apparently began to remotely access

and read Doe's medical records from home, without Doe's knowledge

and without any employment or educational justification. That

access by Lohn was plainly "unauthorized" (or, at a minimum,

"exceeded her authorization") since Doe was not Lohn's patient

and Lohn had no professional or educational need to review Doe's

medical records. Dr. Lohn explained that she accessed Doe's

5 records to satisfy an entirely personal desire to understand

Doe's recent behavior toward her. See Plaintiff's Opposition to

Summary Judgment, Ex. 1, Affidavit of Barbara Lohn (document no.

35). At no time did Dr. Lohn alter or destroy any of Doe's

In June of 1998, Doe contacted DHMC to report her suspicion

that her medical records had been improperly accessed. An

initial audit by DHMC revealed nothing unusual. On September 18,

1998, Doe again called DHMC to voice her concern that her medical

records were being reviewed inappropriately. Another audit was

performed, and this time it revealed that Dr. Lohn had accessed

Doe's medical records during July, August, and the first part of

September, with no apparent justification.

After learning that Dr. Lohn had inappropriately reviewed

her medical records. Doe felt compromised and uncomfortable

continuing as defendants' patient. She began treatment with a

new psychiatrist and allegedly suffered set-backs in her therapy.

Additionally, because she suspects Dr. Lohn may have disclosed

confidential information from her medical records to other

members of the women's group. Doe says she has become reclusive,

and suffers from stress which causes her to grind her teeth.

6 Discussion

Because judgment on Count I, in which Doe asserts a cause of

action based upon Dr. Lohn's apparent violation of the Computer

Fraud and Abuse Act ("CFAA" or "Act " ) , is the only federal claim,

and judgment on that count would resolve all federal issues, that

count will be addressed first.

The Statutory Framework

Title 18, section 1030, entitled "Fraud and related activity

in connection with computers," is commonly known as the Computer

Fraud and Abuse Act. Although originally enacted as a criminal

statute designed to combat an increase in computer crimes,

provisions creating a private civil cause of action were added in

1994. See 18 U.S.C. § 1030(g). The private cause of action is

designed to supplement the criminal sanctions set out in section

1030(c), and provides that:

[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in subsection (e)(8)(A) are limited to economic damages. No action may be brought under this subsection unless such action is begun within

7 2 years of the date of the act complained of or the date of the discovery of the damage.

18 U.S.C. § 1 0 3 0 (g).

Claiming she suffered "damages" recoverable under the CFAA,

Doe alleges that the Dartmouth defendants, through Dr. Lohn,

violated sections "1030(a) (2), 1030(a) (5), and/or other

subsections of Section 1030(a)," Complaint, Count I, 5 31,

because her confidential medical records were accessed by someone

without authorization (or who exceeded authorized access) . It

appears that subsections 1030(a)(2) and (5) are the only

provisions arguably relevant to this case. Subsections

1030(a)(1), (3), (4), (6), and(7) are inapplicable because they

relate to classified government information, government

computers, and/or require an intent to defraud or extort, none of

which has been alleged in the complaint.

Section 1030(a) (2) makes it unlawful to:

intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain [] - (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency, as such terms are defined in the Fair Credit Reporting Act . . .; or

8 (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication[.]

18 U.S.C. § 10 3 0 (a)(2).

Section 10 3 0 (a) (5) applies to anyone who

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.

18 U.S.C. § 1030 (a) (5) .

The CFAA defines "damage" as

any impairment to the integrity or availability .of data, a program, a system, or information, that - (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals; (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (C) causes physical injury to any person; or (D) threatens public health or safety[.]

18 U.S.C. § 1030(e)(8) (emphasis supplied).

9 Application to Doe's Claims

To establish the elements of a private cause of action under

the CFAA, Doe must show that she has suffered "damage" (as

defined by the statute) or "loss." It is doubtful that she can

do either.

The statutory definition of "damage" is somewhat ambiguous,

because it is not clear what is meant by the phrase "impairment

to the integrity . . . of information." Doe suggests the phrase

should be construed to cover Dr. Lohn's unauthorized reading of

her confidential medical records. In other words. Doe says that

an unauthorized reading of confidential medical records operates

to "impair the integrity" of those records. Defendants counter

that the phrase "impairment to the integrity . . . of

information" means some disruption of the functioning, security,

or reliability of computer systems, programs, data, or

information.

Whether the CFAA's civil action provisions cover a

physician's unauthorized review of computerized medical records

is a somewhat novel question that does not appear to have been

addressed by any court. While pertinent legislative history

shows that the "premise of . . . subsection [1030(a) (2)] is

10 privacy protection," see S. Rep. No 104-357, p t . IV(B) (1996)

(quoting S. Rep. No. 99-434 (1986)), and Congress accordingly

created criminal penalties for using a computer to invade

privacy, see 18 U.S.C. § 1030(a)(2), (c), it is far less apparent

that Congress intended to also provide a federal civil remedy for

what is essentially a state common law tort - invasion of

privacy.

In any event, the point is not dispositive in this case.

Under subsection 1030(g) of the Act Doe can only "maintain a

civil action against the violator See 18 U.S.C. §

1030(g) (emphasis supplied). Dr. Lohn was clearly the

"violator;" it was she who accessed Doe's computerized medical

records without authority. Nothing presented by plaintiff

suggests that the Dartmouth defendants violated the CFAA in any

respect. They not only did not access Doe's medical records

without authority, but in fact were victimized by Lohn's breach

of the policies established to protect Doe's confidentiality.

The only way Doe could maintain a civil action against the

Dartmouth defendants under the CFAA would be on a theory of

vicarious liability or agency.

11 Doe argues that the Dartmouth defendants could be held

vicariously liable for Lohn's invasion of her privacy under New

Hampshire law. But that argument is not very helpful, because

whether a federal statute "embraces such principles [of vicarious

liability] is a matter of statutory interpretation based upon

congressional intent." Atlantic Financial Management, Inc., 784

F.2d 29, 31 (1st Cir. 1986) (emphasis added). "[T]he courts have

tended to read congressional statutes that impose tort-like

liability to embrace at least some of these well established

common law agency principles, where language permits and doing so

furthers basic statutory purposes." Id. In this case, imposing

vicarious liability on the Dartmouth defendants in this case

would neither be permitted by the language of the CFAA itself,

nor would it further the basic purpose of the Act.

First, the CFAA is essentially a criminal statute. It

creates only a limited private right of action "against the

violator," that is, against a person who violates the statute

with the requisite criminal intent. See 18 U.S.C. § 1030(g)

(emphasis added). Expanding the private cause of action created

by Congress to include one for vicarious liability against

persons who did not act with criminal intent and cannot be said

12 to have violated the statute, like the Dartmouth defendants,

would be entirely inconsistent with the plain language of the

statute.

Second, the CFAA's unequivocal purpose is to deter and

punish those who intentionally access computer files and systems

without authority and cause harm. See S. Rep. No. 104-357, pts.

II, III. The civil cause of action was later added to the CFAA

to enhance its deterrent effect and provide a means by which

victims of computer crimes might obtain compensation, to the

extent they suffer defined damages or loss. See S. Rep. No. 101-

544, p t . III. The CFAA's prohibitions related to access in

excess of one's authority, see, e.g., 18 U.S.C. § 1030(a) (2) (c) ,

(5)(b), were presumably intended to place those who maintain

computer systems (and who extend only limited access to some

people, such as the Dartmouth defendants) within the class of

protected persons.

In this case. Dr. Lohn was granted only limited access to

Dartmouth's computerized patient records. The Dartmouth

defendants imposed the limitation - and they imposed the

limitation for the very purpose of protecting patient

confidentiality. Dr. Lohn violated the CFAA only because she

13 exceeded the limitations placed on her access by the Dartmouth

defendants themselves. To hold the Dartmouth defendants

vicariously liable for Lohn's intentional violation of the CFAA,

when that violation necessarily involved included an intentional

violation of the defendants' own policies - and actually

victimized the Dartmouth defendants, would hardly be consistent

with, or further the purpose of, the CFAA, which, after all, is

intended to protect computer systems like Dartmouth's from

unauthorized access and concomitant damage. See 18 U.S.C. §

1 0 3 0 (a) (2) (C) .

Parenthetically, assuming Dr. Lohn's unauthorized reading of

Doe's medical records resulted in an "impairment to the integrity

of the data, ... or information that . . . modifie[d] or

impair[ed], or potentially modifie[d] or impair[ed] the medical

. . . treatment, or care of one or more individuals," the

Dartmouth defendants would also have a civil claim against Dr.

Lohn under the CFAA. See 18 U.S.C. § 1 0 3 0 (a)(5)(b), (e)(8), (g).

Holding the Dartmouth defendants vicariously liable to Doe for

Dr. Lohn's intentional CFAA violation would turn the protective

statute - meant to protect Dartmouth's computer systems - on its

head. C f . Dakis v. Chapman, 574 F. Supp. 757, 760 (N.D. C a l .

14 1983) (declining to find vicarious liability under the Racketeer

and Influenced and Corrupt Organizations Act where "it would be

an anomalous result indeed if, because [the employee] had misused

his authority to trade the accounts, and had actually violated

internal guidelines of the firms by doing so, the firms were

nonetheless deemed 'aggressor' enterprises liable under RICO").

It is not necessary to determine, therefore, whether Dr.

Lohn's activity did or did not fall within the scope of her

employment for respondeat superior purposes under New Hampshire

law. Nor is it necessary to decide whether Doe's claimed

injuries qualify as "damage" or "loss" as defined by the CFAA.

On the undisputed facts of this case, neither the language nor

the purpose of the CFAA are consistent with holding the Dartmouth

defendants vicariously liable for Dr. Lohn's intentional

violation of the Act. See In re Atlantic Financial Management,

Inc., 784 F.2d at 31. The Dartmouth defendants may or may not be

vicariously liable for Lohn's invasion of Doe's privacy, or some

related tort, under applicable state law - that is a matter for

the state courts - but they are not liable to Doe for Dr. Lohn's

intentional criminal violations of the CFAA, and they, of course,

have not violated the CFAA themselves.

15 Conclusion

Because Doe cannot maintain a private cause of action under

the CFAA against the Dartmouth defendants based on Dr. Lohn's

conduct, defendants' motion for summary judgment (document no.

34) is granted as to Count I.

Having disposed of Doe's only federal claim, the court

declines to exercise supplemental jurisdiction over the remaining

state law claims. See generally, Camelio v. American Federation,

137 F.3d 666 (1st Cir. 1998). Accordingly, those claims are

dismissed without prejudice and may be filed in a state court of

competent jurisdiction.

The Clerk shall enter judgment in accordance with the terms

of this order and close the case.

SO ORDERED.

Steven J. McAuliffe United States District Judge

July 19, 2001

cc: Susan S. Rockwell, Esq. William E. Whittington, IV, Esq. Michael P. Lehman, Esq. James J. Bianco, Jr., Esq.

16 17