J.M. v. Illuminate Education, Inc. (May 14, 2026, No. S286699) __ Cal.5th __, 2026 WL 1340681
J.M., a minor, attended school in a district that contracted with Illuminate Education to store student data, including medical information such as dyslexia screening results, to help the district meet students’ educational needs. After Illuminate discovered someone without authority had access to its databases, J.M. brought a class action against Illuminate for violating the Confidentiality of Medical Information Act (“CMIA”) (Civ. Code, § 56 et seq.) and the Customer Records Act (“CRA”) (Civ. Code, § 1798.80 et seq.). J.M. alleged that, following the data breach, he had received solicitations from third parties based on the information he provided to the school district. The trial court dismissed the complaint for failure to state a claim, ruling that J.M. had not adequately alleged Illuminate was a “provider of health care,” “contractor,” or “administrator” under the CMIA, or that it “own[ed] or license[d]” the breached data, or that it otherwise owed J.M. a duty under the CRA. The Court of Appeal reversed, holding that both statutes embraced Illuminate’s platform and that the trial court abused its discretion by denying leave to amend. The Supreme Court granted review and reversed.
The Supreme Court held that J.M. failed to state a CMIA claim because Illuminate did not maintain confidential information for use by a health care provider. Examining the statute’s text and legislative history, the Court concluded the CMIA covers only businesses that maintain medical information for the purpose of medical diagnosis or treatment. J.M. alleged that Illuminate’s platform provides educators, students, and parents access for educational planning and evaluation, not medical care. Because J.M. failed to allege that Illuminate made medical information available to healthcare providers for the purpose of diagnosing or treating a medical condition, the CMIA did not apply to Illuminate’s services.
The Supreme Court also clarified the standard for failure-to-preserve claims under the CMIA: a plaintiff need not allege that medical information was actually viewed by an unauthorized third party. Instead, a plaintiff need only allege a significant risk of unauthorized access to or use of the information, disapproving Regents of the University of California v. Superior Court (2013) 220 Cal.App.4th 549, Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, and Vigil v. Muir Medical Group (2022) 84 Cal.App.5th 197.
Finally, the Supreme Court held Illuminate was not a proper CRA defendant. J.M. provided his personal information to the school district, not to Illuminate, and therefore was not Illuminate’s customer. The Supreme Court remanded for the lower courts to determine whether to grant J.M. leave to amend.
