J.M. v. Illuminate Education, Inc. (May 14, 2026, No. S286699) 2026 WL 1340681
Plaintiff’s school district contracted with defendant, an education technology company that provided data storage and dyslexia screening tools. Plaintiff’s medical information was provided to the district, which in turn shared it with defendant. After a data breach resulted in unauthorized access to plaintiff’s and other students’ medical information, plaintiff brought a class action suit against defendant under the Confidentiality of Medical Information Act (CMIA; Civ. Code, § 56 et seq.) and the Customer Records Act (CRA; Civ. Code, § 1798.80 et seq.). The trial court dismissed the suit for failure to state a claim, the Court of Appeal reversed, and the Supreme Court granted review.
The Supreme Court held that the plaintiff failed to state a claim because defendant was not a “provider of health care” under the CMIA, which only covers businesses maintaining medical information for records management or diagnosis and treatment. The Court also held that plaintiffs alleging a breach of confidentiality under the CMIA need not show that medical information was viewed by an unauthorized party, disapproving several contrary Court of Appeal decisions. The Court held instead that it is sufficient to allege medical information was exposed to a significant risk of unauthorized access or use.
