KEITH HANCOCK, TAMERA THOMAS, JASON DESSINGUE, Plaintiffs-Appellants, v. THE COUNTY OF RENSSELAER, JACK MAHAR, ELAINE YOUNG, DAVID HETMAN, Defendants-Appellees.1
Appeal from a judgment of the United States District Court for the Northern District of New York (Norman A. Mordue, J.), dismissing Appellants' claims under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and granting summary judgment to Appellees on Appellants' Section 1983 claim for violation of their right to privacy under the Fourteenth Amendment. Because Appellants failed to present evidence that they suffered a modification or impairment of their medical care or economic damages, we affirm the district court's judgment with respect to the CFAA claim. Because we conclude that Appellants did have rights to privacy in their medical records and there were genuine disputes as to whether these rights were violated, we vacate the district court's judgment with respect to the Section 1983 claim and remand to the district court for reconsideration. We also direct the district court to determine whether qualified immunity might apply.
Affirmed in part and vacated in part.
Appellants were employees of the Rensselaer County Jail. Their medical records were secretly accessed without their permission by at least one other employee at the Jail. They sued in the United States District Court for the Northern District of New York, alleging violations of their right to privacy in health information under the Fourteenth Amendment and of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. The district court dismissed all of the CFAA claims for failure to state a claim. After discovery, it granted summary judgment to Appellees on the Fourteenth Amendment claims, reasoning that Appellants did not have a constitutionally protected interest in medical privacy because the medical conditions described in their records were insufficiently stigmatizing. Appellants appealed both rulings. We now AFFIRM the district court's determination regarding the CFAA claims and VACATE its determination regarding Appellants' right to privacy in medical records. Regarding the latter, we find that even individuals with non-stigmatizing medical conditions have a right to privacy in their medical records, even if their interest in privacy might be less. We REMAND this case back to the district court for further proceedings consistent with this analysis, including a consideration of whether qualified immunity might apply.
I. Factual Background
Troy, New York is home to both Samaritan Hospital and Rensselaer County Jail. Samaritan serves as the primary healthcare provider for most of the Jail's detainees and many of its employees. Appellants are among those employees who have seen doctors at Samaritan.
The Jail does not rely entirely on Samaritan for healthcare services; it also employs its own medical staff. That staff included Elaine Young, a registered nurse. To facilitate continuity of care, Samaritan provided Young with electronic access to Samaritan's medical records on three computers at the Jail through a password-protected system. Logging in with this password provided unlimited access to Samaritan's entire medical records system.
Before she was granted access to Samaritan's record system, Young signed a one-page clearly worded agreement stating that she would only use the system in a way that preserved patient confidentiality. This consent form cautioned that “Federal law and regulations strictly limit the purposes for which patient information may be accessed and used.” App'x at 1679. Its terms then restricted use for the purposes of “providing medical treatment to the patient,” “securing payment for treatment of the patient,” and “quality assurance activities, professional competence review activities and health care fraud or abuse detection.” Id. Accessing Samaritan's system for “other purposes” was only permitted with “signed authorization of the patient” or “approval of the [Samaritan] Privacy Officer.” Id.
Young had apparently been unable to obtain passwords for other nurses to use, so she taped her login information inside a drawer at the nurse's desk at the Jail. Any person who knew where the password was kept and had access to that desk could thus view any of Samaritan's medical records.
In late 2011, Samaritan learned that “health information relating to a patient of Samaritan Hospital may have been accessed for an improper purpose by an employee” of the Jail. App'x at 35, 41, 47. After an investigation, Samaritan determined that the password assigned to Young had been used to access the medical records of multiple non-inmate patients, including some Jail employees. Samaritan thereafter deactivated Young's account and requested that the office of the Rensselaer County Sheriff investigate. Jack Mahar, the Rensselaer County Sheriff, was also in charge of running the Jail.
Mahar appointed Corrections Lieutenant James Karam to conduct the investigation. Karam did so until August 2012, when he resigned due to medical issues and the pressure that Mahar allegedly placed on him. According to Karam, Mahar had attempted to convince Karam to delay the investigation to prevent at least one employee from being notified that his medical records had been accessed. No one was ever criminally prosecuted for accessing Samaritan's medical records.
In March 2013, Samaritan sent letters to patients whose records its internal investigations found had been viewed without their permission. The letters detailed when and for how long each patient's medical records had been accessed via Young's account.
Confronted with this information, a number of patients sued the County of Rensselaer and several of its employees. Some of these lawsuits have been settled; some continue at the district court level. E.g., Pasinella v. County of Rensselaer, No. 13-cv-00607, consent order (N.D.N.Y. Sept. 23, 2014); Colantonio v. County of Rensselaer, No. 14-cv-00107, judgment dismissing by reason of settlement (N.D.N.Y. Apr. 24, 2015); Karam v. County of Rensselaer, No. 13-cv-01018, order and stipulation of discontinuance (N.D.N.Y. Sept. 6, 2016); Snyder v. County of Rensselaer, No. 14-cv-00242, order and stipulation of dismissal (N.D.N.Y. Sept. 26, 2014); Rogers v. Mahar, No. 14-cv-01162, order and stipulation of dismissal (N.D.N.Y. Jan. 25, 2016); Momrow v. County of Rensselaer, No. 15-cv-00521, complaint filed (N.D.N.Y. Apr. 29, 2015).
Appellants are among those who received the letter from Samaritan and subsequently sued. Relying on the preliminary results of Karam's investigation and on a number of depositions taken across many of these cases, they allege that their records were accessed as part of Mahar's campaign to rein in Jail employees' use of sick leave. It is undisputed that Mahar enforced a sick leave policy that penalized employees deemed to be taking “excessive” sick leave. Appellants note that access of their medical records took place during or soon after instances in which they had taken “extended or unexpected” sick leave. Appellants' Br. at 9. They allege that Mahar or somebody acting under Mahar's direction either used Young's password or directed Young to do so in order to determine whether Appellants had been using sick leave in accordance with the policy Mahar was enforcing. Appellees offer no alternative explanation or justification for the unauthorized access of Appellants' medical records.
II. Procedural History
Appellants filed their initial complaint on September 20, 2013, alleging violations of their rights to privacy implied by the Due Process Clause of the Fourteenth Amendment and of their rights under the CFAA. On September 24, 2014, the district court granted Appellees' motion to dismiss with respect to the claims under the CFAA, determining that Appellants had failed to allege the damages required by that statute. It denied the motion with respect to the civil rights claim.
On February 10, 2015, Appellants filed an amended complaint alleging only the civil rights cause of action. After more than a year of discovery, Appellees moved for summary judgment on Appellants' Section 1983 claim. The motion was granted in August 2016. Hancock v. County of Rensselaer, No. 1:13-CV-1184, 2016 WL 8732374 (N.D.N.Y. Aug. 5, 2016).
Relying heavily on its interpretation of our previous decision in Matson v. Board of Education of City School District of N.Y., 631 F.3d 57 (2d Cir. 2011), the district court found that Appellants failed to show that they had a constitutionally protected right to privacy in their medical records. The court read Matson as limiting the right to privacy in one's medical records only to those records that contain evidence of medical conditions that are both serious and stigmatizing. Hancock, 2016 WL 8732374, at *3. It found that none of the Appellants had information in their histories that would expose them to discrimination and intolerance, so none of them could establish that their Fourteenth Amendment rights had been violated. Id. at *3-4.
Final judgment was filed in favor of Appellees on August 8, 2016. This appeal of both the dismissal and the grant of summary judgment was filed on August 17.
I. CFAA ClaimsA. Standard of Review
Although “[i]t is well settled that an amended pleading ordinarily supersedes the original and renders it of no legal effect,” we do not require futile repleading of a claim that has been dismissed with prejudice. In re Crysen/Montenay Energy Co., 226 F.3d 160, 162 (2d Cir. 2000). Thus, the fact that Appellants' amended complaint lacked the CFAA cause of action does not amount to a waiver of that cause of action for purposes of appellate review. Id.
“We review de novo a district court's decision to dismiss a complaint pursuant to [Federal] Rule [of Civil Procedure] 12(b)(6), accepting all factual allegations as true and drawing all reasonable inferences in the plaintiff's favor.” Crawford v. Cuomo, 796 F.3d 252, 256 (2d Cir. 2015) (citation omitted). “To survive a 12(b)(6) motion, the complaint must contain factual allegations that plausibly give rise to an entitlement to relief.” Id. (citation omitted).
Congress originally enacted the CFAA in 1984 to criminalize the then-novel problem of hacking. Ten years later, it added a private right of action. See Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, § 290001(d), 108 Stat. 1796 (1994). The scope of the civil actions permitted under this new Section 1030(g), however, has always been limited. “A civil action for a violation of [the CFAA],” that section states, “may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 18 U.S.C. § 1030(g). Only subclauses (I) and (II) are at issue here. We agree with the district court that Appellants failed to plead damages under either.
Subclause (I) covers “loss to 1 or more persons during any 1-year period․ aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). Section 1030(g) specifically limits its application to economic damages.
Economic damages have not been pled. Appellants argue instead that Subclause (I) on its face applies broadly and point to a non-precedential summary order from this Court holding that the 2001 amendments to the CFAA broadened Section 1030(g) to include “compensatory damages and injunctive relief or other equitable relief.” Garland-Sash v. Lewis, 348 F. App'x 639, 641-42 & n.1 (2d Cir. 2009). This summary order is incorrect. While the first sentence of Section 1030(g) does generally permit “compensatory damages and injunctive relief or other equitable relief,” two sentences later it states quite unambiguously: “damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic [d]amages.” We can find no evidence that this language meaningfully changed in 2001 or in any of other amendments of the CFAA. Appellants' inability to plead economic damages thus dooms their attempt to apply Subclause (I).
Subclause (II) refers to damages based on “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals.” 18 U.S.C. § 1030(c)(4)(A)(i)(II). Appellants claim that Mahar's ability to access their medical records as part of his crusade against sick leave could have had a chilling effect on their inclination to seek medical care or the time off necessary to obtain it. We are not unsympathetic to this hypothetical, but it remains merely hypothetical. Appellants state no facts about any of their actual experiences seeking medical care that “nudge[s] their claims across the line from conceivable to plausible.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007), preventing them from using Subclause (II) to state a cause of action under the CFAA.
II. Fourteenth Amendment Claims
A. Standard of Review
“We review a district court's grant of summary judgment de novo.” Marvel Characters, Inc. v. Kirby, 726 F.3d 119, 135 (2d Cir. 2013) (citation and internal quotation marks omitted). “In reviewing a summary judgment decision, we apply the same standards applied by the district court. Under this standard, summary judgment may be granted only if there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law. In determining whether there is a genuine dispute as to a material fact, we must resolve all ambiguities and draw all inferences against the moving party.” Id. (internal quotation marks and citations omitted).
Appellants sue under 42 U.S.C. § 1983 for violations of their Fourteenth Amendment rights to privacy. At issue is whether Appellants have suffered a constitutionally prohibited wrong.
1. The Right to Privacy in Medical Records
To determine whether a constitutional violation has occurred, we must first identify the right at stake. See O'Connor v. Pierson, 426 F.3d 187, 201 (2d Cir. 2005). Appellants invoke the right to privacy in information about one's body. In doing so, they successfully identify a constitutional right.
The Due Process Clause of the Fourteenth Amendment requires states to operate in accordance with the “fundamental principles of liberty and justice which lie at the base of all our civil and political institutions.” Duncan v. Louisiana, 391 U.S. 145, 148 (1968). Nearly all of the Constitution's specifically enumerated protections against government agents' abuses of public power have been found to be fundamental in this sense. See McDonald v. City of Chicago, Ill., 561 U.S. 742, 759-66 (2010) (discussing the development of Fourteenth Amendment due process jurisprudence). Many of these protections would have little practical effect without heightened suspicion of governmental intrusion into certain identity-defining areas of life. These areas of life have been found so important that, even when there is not a constitutionally enumerated right on point, due process requires state government act with special solicitude for this fundamental “zone of privacy.” Griswold v. Connecticut, 381 U.S. 479, 485 (1965).
The Supreme Court has long implied that the zone of privacy protects “the individual interest in avoiding disclosure of personal matters.” Whalen v. Roe, 429 U.S. 589, 599 (1977); see also National Aeronautics & Space Administration v. Nelson, 562 U.S. 134, 147-49 (2011) (assuming, without expressly deciding, that the Constitution affords this protection). Along with many of our sister circuits, we have explicitly recognized the right to privacy in one's personal information, including information about one's body. Schachter v. Whalen, 581 F.2d 35, 37 (2d Cir. 1978); Doe v. City of New York, 15 F.3d 264, 267 (2d Cir. 1994); United States v. Westinghouse Electric Corp., 638 F.2d 570, 577 (3d Cir. 1980); Fadjo v. Coon, 633 F.2d 1172, 1175 (5th Cir. Unit B Jan. 1981); Pesce v. J. Sterling Morton High School, District 201, Cook County, Ill., 830 F.2d 789, 795-98 (7th Cir. 1987); Seaton v. Mayberg, 610 F.3d 530, 534 (9th Cir. 2010); Lankford v. City of Hobart, 27 F.3d 477, 479 (10th Cir. 1994); In re Zuniga, 714 F.2d 632, 641 (6th Cir. 1983) (assuming the existence of a constitutional right to privacy); but see Borucki v. Ryan, 827 F.2d 836, 840-42, 848-49 (1st Cir. 1987) (finding the constitutional right to privacy not clearly established for qualified immunity purposes); American Federation of Government Employees, AFL-CIO v. HUD, 118 F.3d 786, 791-93 (D.C. Cir. 1997) (expressing doubt about the constitutional right to privacy in the non-disclosure of personal information). Medical records contain such information. The Fourteenth Amendment's due process clause thus protects individuals in this circuit from arbitrary intrusions into their medical records.
2. Weighing Interests in the Privacy of Medical Records
Although it is fundamental, the constitutional right to privacy is not absolute. In various situations the government has a legitimate interest in accessing and even publicizing medical records. See Doe, 15 F.3d at 269; Barry v. City of New York, 712 F.2d 1554, 1559 (2d Cir. 1983); Westinghouse, 638 F.2d at 578-79; Seaton, 610 F.3d at 534. A constitutional violation only occurs when the individual's interest in privacy outweighs the government's interest in breaching it.
How we weigh these interests depends on whether a government acts in its legislative or executive capacity.2 When evaluating legislative action, we apply intermediate scrutiny, in which we ask whether a given statute is substantially related to an important government interest. We then balance that interest against the individual's interest in privacy. Barry, 712 F.2d at 1559; Doe, 15 F.3d at 269-70; Powell v. Schriver, 175 F.3d 107, 112 & n.2 (2d. Cir. 1999); O'Connor, 426 F.3d at 202-03; see also Westinghouse, 638 F.2d at 578 (articulating seven factors to balance). When evaluating executive action that does not involve penological interests,3 the test is different: we ask whether the action was so “arbitrary” as to “shock the conscience.” O'Connor, 426 F.3d at 203. “[W]hether executive action shocks the conscience depends on the state of mind of the government actor and the context in which the action was taken.” Id. “[M]ere negligence” is not enough—indeed, “only the most egregious official conduct” shocks our consciences—but how egregious conduct has to be in order to be shocking depends on a context-specific balancing. Id. Malicious invasions of privacy are constitutionally unacceptable even in the face of weak individual privacy interests. See County of Sacramento v. Lewis, 523 U.S. 833, 849 (1998) (discussing such a situation). Stronger privacy interests will be required to hold executive actors liable who acted with less culpable mental states.
Before discussing the balancing in this case in more detail, we note that most situations in which a government actor accesses an individual's personal information will not require the application of a balancing test to determine whether a due process violation has occurred. For instance, when an individual gives informed consent to the access or publication of certain information and an official has acted within the scope of that consent, there is no ground for constitutional challenge. A government actor cannot invade the zone of privacy if they have been invited in. As well, if a breach of privacy takes a form courts have previously approved—whether because it is pursuant to a legislative scheme that has passed constitutional muster or because it fits the pattern of case law—there will be no need for case-by-case balancing. Conversely, we can summarily condemn invasions of privacy that take a form that has already been found to violate due process.
But Appellants have not consented to the access of their medical records, and that access does not take a form that has been previously adjudicated. So a context-specific balancing is necessary. In front of us are executive actions, and Appellants are not prisoners. So the invasions of privacy here should be evaluated according to a shocks-the-conscience standard.
In defining the privacy interest in various medical conditions, we “proceed on a case-by-case basis,” examining all of the relevant factors. Matson, 631 F.3d at 66-67. Relying on our decision in Matson, the district court found that if a plaintiff has a sufficiently weak individual interest in privacy, the inquiry should end there. Hancock, 2016 WL 8732374, at *3-4. On appeal, Appellees defend the proposition that only sufficiently serious medical conditions give rise to any interest in privacy at all. Turning Matson's reasoning into a threshold test extends it too far. We have never held, in Matson or elsewhere, that only medical records documenting conditions of sufficient gravity and stigma may qualify for constitutional privacy protection. Unlike in the Fourth Amendment context, the substantive due process inquiry does not require an individual to establish the reasonability of their particular interest in privacy before any consideration of the government's interest becomes relevant. Cf. Terry v. Ohio, 392 U.S. 1, 9 (1968) (recognizing a search “wherever an individual may harbor a reasonable ‘expectation of privacy’ ” (citation omitted)). Instead, substantive due process protects privacy in certain categories of personal information—medical information, as relevant here. An individual's interest in maintaining such information confidential is not just presumptively reasonable, it is fundamental.
The strength of a privacy interest is relevant to the due process inquiry, but only in service of determining how strong the government's interest must be in order to override it. Appellees and the district court correctly point out that we have repeatedly found that determining the strength of this interest requires taking into account the seriousness of the condition and the stigma associated with it. Matson, 631 F.3d at 66-67; O'Connor, 426 F.3d at 201; Powell, 175 F.3d at 111; Doe, 15 F.3d at 267. Yet other factors may also be relevant, such as how detailed the medical record is and whether a plaintiff has done anything to indicate a lack of interest in privacy in the particular information at issue. Cf. Matson, 631 F.3d at 66 (discussing how disclosure to a third party may lower one's reasonable interest in preventing further disclosure).
And the inquiry cannot be overly individualized. An interest in medical privacy derives not just from a desire to keep one's medical conditions to oneself but also from the collectively enjoyed benefit of being able to expect confidentiality from those we depend on to care for the most intimate aspects of our lives. A slow drip of exceptions would erode that protection beyond recognition. As such, the interest in preserving the integrity of the doctor-patient relationship deserves its own consideration independent of the idiosyncrasies of the privacy invasion. The baseline individual interest in privacy is thus substantially greater than whatever the least abashed individual would allow.
Some clarification of Matson is apparently in order. That case dealt with a school that had publicly disclosed the fibromyalgia of its music teacher as part of a report on her alleged abuse of the school's sick leave policy. Matson, 631 F.3d at 60-61. Matson, the music teacher, would take sick leave and then work at another job as an orchestra conductor. Id. at 58-59. Her doctor attested to the school that Matson's fibromyalgia was brought on by the stressful teaching environment, but that she was able to conduct elsewhere without incident. Id. at 59-60. We found that the fact that Matson had already disclosed her medical condition to the school and the fact that it was not as serious or stigmatizing as other conditions made her privacy interest relatively weak. Id. at 66 (differentiating the government's disclosure of information already obtained from plaintiff's disclosure to the government), id. at 67-68 (discussing the relative seriousness and stigma of fibromyalgia). Then we weighed this weak interest against the school's interest in issuing public reports as part of its “efforts to eradicate fraud, misconduct, conflicts of interest, and other wrongdoing.” Id. at 68 (internal citation and quotation marks omitted). We found that, in these circumstances, Matson's privacy rights were not violated.
Before Matson, we had suggested that the strength of the privacy interest mattered, but we had never actually been confronted with a weak privacy interest. So we had not had the opportunity to articulate how it might affect the analysis. See, e.g., Doe, 15 F.3d at 267; Powell, 175 F.3d at 111; O'Connor, 426 F.3d at 201. Matson gave us the chance to clarify that when the strength of a privacy interest is sufficiently weak it can be overwhelmed by even a moderately strong government interest in disclosure. We emphasized the relatively less serious nature of the disorder and the lack of discrimination associated with it both because they were the most important factors in our balancing and because they were what was novel about the case. But they were not the only factors we considered, let alone the threshold beyond which no further analysis could pass.
Accepting the district court's alternative reading of Matson would leave us with an illogical doctrine that implicitly abrogates our previous decisions. If the right to privacy were to depend exclusively on the seriousness of the condition one seeks to keep private, medical records would not truly be protected from arbitrary government intrusion. It would be as if the First Amendment allowed a particular person to speak only if they could show they have something worth saying, or if the Fourth Amendment required individuals to obtain warrants to prevent the government from searching their effects.
Our decisions before Matson avoided these absurdities by making clear that we apply a balancing test to the government's collection or publication of all medical records. Doe, 15 F.3d at 267 (“[T]here are few matters that are quite so personal as the status of one's health.”); Powell, 175 F.3d at 111 (finding that some medical conditions present a “particularly compelling” privacy interest, but all disorders present some interest); O'Connor, 426 F.3d at 201 (accord). Whether we apply intermediate scrutiny or a shocks-the-conscience test, we focus on the government's interests in the information contained in the records and the manner in which those interests might be achieved. See, e.g., Barry, 712 F.2d at 1559; Doe, 15 F.3d at 269-70; Powell, 175 F.3d at 112 n.2; O'Connor, 426 F.3d at 202-03. The strength of the individual interest in privacy adjusts how closely we scrutinize the government's offered justifications. Matson did nothing to limit these decisions—nor could it have. It took them for granted. It can only be understood in light of them.
All of which is to say that identifying the strength of the individual interest in privacy never ends the analysis. A court applying a shocks-the-conscience test must always examine the executive branch's interest in breaching that privacy. The stronger the individual interest, the more compelling the government actor's reasons must be. But even the weakest privacy interests cannot be overridden by totally arbitrary or outright malicious government action. How to judge the government action depends on context. Government actors with specific duties of confidentiality or care unreasonably invade privacy even if they do so as a result of “deliberate indifference.” See O'Connor, 426 F.3d at 203. On the other hand, a government actor in the midst of a pressing emergency might not be liable for even deliberate invasions. See id. Public disclosure (or threatened public disclosure) of medical information is a greater breach of privacy than one unauthorized government employee viewing the information, so greater care should be expected to prevent the former. Cf. Westinghouse, 638 F.2d at 578-79 (presenting a number of factors to be balanced in a legislative context).4
3. Application to this Case
Because the district court treated the seriousness and stigma of each of Appellants' diagnoses as a threshold inquiry without considering other aspects of the individual privacy interest or the government's intent, we vacate this aspect of its judgment and remand it for reconsideration.
While stigma is not the only consideration, it can still be relevant to the analysis. It is neither necessary nor appropriate for us to determine at this stage in the proceeding whether any condition in Appellants' medical records is in fact stigmatizing. However, during the course of its reconsideration, the district court should re-examine whether it might have set the threshold too high in evaluating Appellants' conditions.
It is at least as important for the district court to consider the fact that Appellees offer no reasons, as far as we can tell, for the breaches of confidentiality. It seems clear that the breaches did not result from inattention, but beyond that it is a disputed issue of fact why they occurred. If Appellants' proffered explanation that Mahar maliciously looked at the records to aid in his enforcement of sick leave policies or to gain leverage over his employees is correct, that would likely shock our consciences. It would do so regardless of the contents of Appellants' medical records. It is exactly this type of abuse of state power that protecting the zone of privacy is meant to guard against.
C. Qualified Immunity
Because the district court found that Appellants did not have claims under the Fourteenth Amendment, it did not have to pass on whether the individual Appellees were entitled to qualified immunity from those claims. In remanding the case, we instruct the court to determine whether Mahar, Hetman, and/or Young are entitled to it.5 We note that on a summary judgment motion, facts are to be interpreted most favorably to non-movants, i.e. Appellants in this case. We have just discussed how their version of the facts plausibly alleges a violation of a constitutional right. That leaves only the question of whether that right was clearly established at the time of the alleged violation, keeping in mind that qualified immunity law does not require a case on point concerning the exact permutation of facts that state actors confront in order to establish a clear standard for their behavior. See Scott v. Fischer, 616 F.3d 100, 105 (2d Cir. 2010).
Because we find that the district court improperly balanced the interests in this case, we VACATE its summary judgment order and REMAND for further proceedings consistent with this opinion, including a consideration of whether the individual Appellees are entitled to qualified immunity. We also AFFIRM the district court's finding that Appellants failed to make out a claim under the CFAA.
2. This is a functional differentiation. Some types of executive actions, such as regulations, are more akin to legislative action.
3. When dealing with the lessened privacy interests of a prison inmate, we give decisive weight to whether a privacy invasion was “reasonably related to legitimate penological interests.” Powell, 175 F.3d at 112.
4. Several district court decisions after Matson have found the seriousness and stigma associated with the medical conditions contained in the records in front of them were dispositive in finding against Appellants who were claiming privacy violations. It may be worth clarifying how our opinion affects two of them, which we think are representative. In Miron v. Town of Stratford, 976 F. Supp. 2d 120 (D. Conn. 2013), the District of Connecticut, applying a shocks-the-conscience test, balanced the privacy interest of a police officer whose medical records were leaked by other police officials seeking to show that he benefited from nepotism due to his lack of fitness to serve against the public interest in knowing about such misconduct. This opinion is entirely consistent with our discussion in the foregoing. In contrast, Barnes v. Abdullah, No. 11 Civ. 8168 (RA), 2013 WL 3816586 (S.D.N.Y. July 22, 2013), comes to the right conclusion using reasoning that does not jibe with today's opinion. There, the Southern District of New York found that arthritis and painkiller use were not sufficiently serious or stigmatizing to merit constitutional protection for the medical records that reflected them. We agree that Barnes's interests in privacy were relatively weak in part for the reasons discussed by the district court, and we agree that Barnes's constitutional right to privacy was not violated. However, we only come to the latter conclusion after considering the penological interests furthered by the disclosure. Barnes's claimed violation was that his medical records had been shared with a non-physician prison staff member who helped to run a substance abuse rehabilitation program. This was a minor infringement on privacy that clearly served the penological interest in rehabilitation.
5. Appellees Mahar and Hetman raise qualified immunity in their brief, but Young does not. Because we do not rule on the question here for any of the Appellees, we do not treat Young's claim to qualified immunity as waived.
POOLER, Circuit Judge