Eisenhower Medical Center is not liable for a March 2011 data breach that exposed private information of more than 500,000 patients, a California appellate court has ruled.

A class-action lawsuit was filed against the medical center, claiming it violated California’s Confidentiality of Medical Information Act (CMA) after someone stole a computer that contained patient information, including birth dates, partial Social Security numbers, names, ages and medical record numbers.

A lower court had rejected the hospital’s claims that medical data was not disclosed in the breach and rejected its petition for a summary judgment.

But the appellate court ruled “that a health care provider cannot be held liable under the relevant portions of the CMA for the release of an individual’s personal identifying information that is not coupled with that individual’s medical history, mental or physical condition, or treatment.”