In J.M. v. Illuminate Education, the Supreme Court last week held a company that obtained confidential student information from a school district and that suffered a data breach was not be liable to the student under either the Confidentiality of Medical Information Act or the Customer Records Act, at least as currently pleaded. But the court lifted one obstacle to recovery under the CMIA in actions against a different kind of defendant. It also left open the possibility that the J.M. plaintiff might be given leave to amend his complaint.
The court’s opinion by Justice Liu is signed by all the justices, but Justice Groban filed a separate concurrence.
The defendant could not be sued under the CMIA, the court concluded, because the plaintiff “has not sufficiently alleged that [the defendant] is a ‘provider of health care’ within the meaning of [the Act].” The court described the defendant as “an educational technology company that collects data on individual students, including medical information, in the course of providing support and services to help school districts meet students’ educational needs.” “[A]lthough the CMIA was designed to adapt to technological changes in the way medical information is stored and used,” the court said, “its scope has limits. This is reflected in the Legislature’s decision to include a specific definition of ‘providers of health care’ that does not sweep within its ambit any entity that stores medical information.”
But the court did make it easier for a future CMIA plaintiff to sue a defendant who does fit the definition of a health care provider. The court rejected a rule, advanced by some Courts of Appeal, that there’s been no breach of confidentiality unless medical information has actually been viewed by an unauthorized person. It said it “agree[d] with the Attorney General that ‘the key criterion in determining whether a confidant has failed to preserve the confidentiality of information is whether the information is exposed to a significant risk of unauthorized access or use.’ ”
If the defendant was not a proper defendant under the CMIA, the plaintiff wasn’t a proper plaintiff under the CRA, the court found. This was so because the plaintiff “has not sufficiently alleged that he is [the defendant’s] ‘customer’ within the meaning of the CRA.”
Justice Groban’s concurrence stated additional reasons why plaintiff’s action failed as pleaded, contended that the plaintiff should not be given leave to amend his CMIA cause of action, and attempts to strengthen the court’s “significant risk of unauthorized access or use” rule for CMIA violations.
The court reversed the Second District, Division Six, Court of Appeal published opinion. On the CMIA “actually been viewed” issue, the court disapproved the Second District, Division Seven, decision in Regents of University of California v. Superior Court (Platter) (2013) 220 Cal.App.4th 549; the Third District decision in Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546; and the First District, Division Two, decision in Vigil v. Muir Medical Group IPA, Inc. (2022) 84 Cal.App.5th 197.
There was no petition for review in the Regents case. The court denied review in Sutter Health with Justice Werdegar voting to grant. Justice Kruger dissented from the denial of review in Vigil.
