The California Supreme Court ruled plaintiffs can bring lawsuits regarding medical record data breaches without proving who actually viewed the information.
But the court nonetheless sidelined a lawsuit from a student who tried to sue an educational contractor for allegedly losing track of his personal information in a data breach.
The dispute centered on how to interpret the state laws known as the Confidentiality of Medical Information Act and Customer Records Act. A minor, identified in court as J.M., initiated a class action targeting Illuminate Education, which contracts with many districts, including the Ventura Office County Office of Education. According to court filings, a 2022 data breach subjected student medical information to unauthorized access. After Ventura County Superior Court Judge Benjamin Coats dismissed the complaint for failure to state a claim, the California Second District Appellate Court reversed the ruling.
The Supreme Court granted review to decide whether J.M. had a valid claim under either law. Justice Goodwin Liu wrote the unanimous opinion, filed May 14, while Justice Joshua Groban filed a concurring opinion. Justice Martin Buchanan, of the Fourth District California Appellate Court, sat on the panel in place of Justice Martin Jenkins.
J.M.’s complaint called for a class of all Californians who got notice of the data breach, claiming they were “placed at an imminent, immediate, and continuing increased risk of harm from fraud and identity theft.” In arguing for dismissal, Illuminate convinced Judge Coats it wasn’t either a health care provider, contractor or administrator in the way CIMA defines those terms. Coats also found there wasn’t an actionable information “disclosure” or “release.” Regarding the CMA, Illuminate noted the county education office was its customer, not individual students, and said it didn’t own or license any of the data at issue.
The Supreme Court opinion distinguished between the use of student information to assess educational needs, monitor progress and provide appropriate services and the provision of “medical information to health care providers,” Liu wrote, and said diagnosing students’ needs, even through use of dyslexia screening, doesn’t equate to the exercise of medical care.
“The complaint does not indicate, for example, whether students and parents have access to students’ medical information for noneducational purposes, or whether the internet platforms enable students and parents to download the information for their own use or to access the information whenever they wish,” Liu wrote. “The complaint’s bare mention of ‘access provided … to students and parents’ is insufficient to bring Illuminate within” the type of business CMIA addresses.
Although CMIA has a broad construction with an eye toward technology that develops more quickly than legislation is enacted, Liu continued, there are limits, which the court said “is reflected in the Legislature’s decision to include a specific definition of ‘providers of health care’ that does not sweep within its ambit any entity that stores medical information.”
But the court agreed with J.M. that the possibility of unauthorized data access is sufficient grounds for a lawsuit. Liu said the justices didn’t have a take on the outcomes of preceding litigation yet resolved to “reject the rule that no breach of confidentiality has occurred until medical information is actually viewed by an unauthorized person. Further, we agree with the Attorney General that ‘the key criterion in determining whether a confidant has failed to preserve the confidentiality of information is whether the information is exposed to a significant risk of unauthorized access or use.’ ”
Whether or not someone sees data, Liu continued, patient confidentiality is compromised if the records aren’t kept secret or private. Lawmakers provided for nominal damages of $1,000 and clarified the recovery was available to those who suffered no legal damage beyond a data breach, signaling “that liability under the statute focuses on the allegedly negligent conduct of the covered entity, not on the resulting harm to the plaintiff.”
The court allowed for the possibility that some circumstances involving improper access to protected data are ancillary when the primary concern is a hardware theft, explaining the existing legal “standard is sufficiently flexible” to allow judges to discern intent.
“Circumstances potentially relevant to whether information is exposed to a significant risk of unauthorized access or use include the form, duration, and extent of the data breach, as well as any mitigation efforts by the covered entity,” Liu wrote. “Loss of possession of the information is a relevant factor, but it is neither necessary nor always sufficient by itself to establish breach of confidentiality. All relevant circumstances must be considered.”
However, the court also said J.M. couldn’t sue under the CMIA because the complaint doesn’t establish him or other potential class members as Illuminate customers. To the extent J.M. provided any medical information, he did so to the school district and not directly to Illuminate. The court said CMIA doesn’t allow civil suits for all beneficiaries or consumers, only and expressly customers of a covered business.
In his concurrence, Justice Groban went further than the remainder of the justices, writing J.M. failed to allege a disclosure in violation of CMIA. He also said that in addition to agreeing the complaint didn’t allege Illuminate is a health care provider, he said J.M. cannot adequately amend his complaint to make such a showing. Finally, he emphasized the majority’s clarification on the risk of access to protected data versus a showing of an unauthorized party seeing something it shouldn’t.
“The standard the majority adopts in place of the ‘actually viewed’ rule — that a plaintiff must show ‘a significant risk of unauthorized access or use’ — must therefore have some force: It cannot be satisfied by mere speculation or a theoretical possibility of access inherent any time data comes into the possession of an unauthorized third party,” Groban wrote. “Rather, a ‘significant risk’ must be grounded in facts showing that unauthorized access to or use of the data is reasonably likely under the circumstances. Such a risk will not exist where the surrounding facts make access or use unlikely — for example, where stolen data is protected by robust encryption.”
The majority opinion allowed the lower courts to consider giving J.M. a chance to amend the complaint again, but Groban said he hadn’t “demonstrated a reasonable possibility of curing the defects.”
J.M. is represented by the firm of Potter Handy, of San Francisco.
Illuminate is represented by the firm of Kirkland & Ellis, of Salt Lake City.
California Attorney General Rob Bonta filed a support brief on behalf of J.M.
