Friday, May 15, 2026
Page 1
California Supreme Court:
Actual Viewing Not Vital for Liability Over Medical Data Leak
Opinion Says That While Cases Requiring Access Are Disapproved, Student’s Claims Against Technology Firm Over Breach Were Wrongly Revived as Company Is Not ‘Provider of Health Care’ Under Confidentiality Law
By Kimber Cooley, associate editor
The California Supreme Court held yesterday that a statute providing a cause of action for disclosures of confidential medical records only requires a showing that a leak exposed a user’s information to “a significant risk of unauthorized access,” disapproving a line of cases saying that a plaintiff must prove that the information was “actually viewed.”
Yesterday’s unanimous opinion, authored by Justice Goodwin H. Liu, came by way of a dispute over whether an educational technology company hired by multiple California school districts could be held liable under the Confidentiality of Medical Information Act (“CMIA”), found at Civil Code §56 et seq., or the Customer Records Act (“CRA”), codified at §1798.80 et seq., over an alleged breach of students’ information maintained by the company.
Finding that the plaintiff’s operative complaint could not withstand a pleading challenge, Liu wrote:
“[The plaintiff] has not stated a valid claim under the CMIA because he has not sufficiently alleged that [the defendant] is a ‘provider of health care’ within the meaning of Civil Code section 56.06….[Additionally,] because [the plaintiff] has not sufficiently alleged that he is [the technology company’s] ‘customer’ within the meaning of the CRA…, he has not stated a cause of action under the CRA….”
Significant Risk
Adding that, “in order to establish a failure to preserve the confidentiality of medical information under the CMIA, a plaintiff does not need to allege that the information was actually viewed by an unauthorized third party,” and that “confidentiality is breached when the information is exposed to a significant risk of unauthorized access or use,” Liu declared:
“We disapprove Regents of the University of California v. Superior Court,…220 Cal.App.4th 549, Sutter Health v. Superior Court,…227 Cal.App.4th 1546, and Vigil v. Muir Medical Group IPA, Inc.,…84 Cal.App.5th 197, to the extent they are inconsistent with this opinion.”
Justice Joshua P. Groban penned a concurring opinion to “elaborate on the scope of the ‘significant risk of unauthorized access or use’ standard the majority adopts,” saying:
“The standard the majority adopts in place of the ‘actually viewed’ rule…must…have some force: It cannot be satisfied by mere speculation or a theoretical possibility of access inherent any time data comes into the possession of an unauthorized third party. Rather, a ‘significant risk’ must be grounded in facts showing that unauthorized access to or use of the data is reasonably likely under the circumstances. Such a risk will not exist where the surrounding facts make access or use unlikely—for example, where stolen data is protected by robust encryption.”
Putative Class Action
The question of liability arose after a minor identified only as “J.M.,” by and through his guardian ad litem Jean Paul Magallanes, filed a putative class action complaint against Illuminate Education Inc. in June 2022 after receiving notice that the company had experienced a data breach. On behalf of a putative class of all California citizens who were “registered with their school districts on or before December 28, 2021, and who received notices” of the data breach, he asserted claims under the CRA and §§56.10 and 56.101 of the CMIA.
Sec. 56.10 provides that “[a] provider of health care…shall not disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization,” and §56.101 adds that “[e]very provider of health care…who…stores…medical information shall do so in a manner that preserves the confidentiality of the information contained therein.”
Illuminate demurred, arguing that it was not a “provider of health care” covered by CMIA, J.M. was not its “customer” within the meaning of the CRA, and the plaintiff had failed to allege sufficient injuries under either statute. J.M. lodged an amended complaint in response, adding new allegations, including that his information had actually been viewed because he had “received numerous phone calls from solicitors” after the asserted breach.
Ventura Superior Court Judge Benjamin F. Coats sustained the demurrer, without leave to amend, in February 2023. Div. Six of this district’s Court of Appeal reversed in July 2024, ruling that Illuminate is covered by CMIA’s scheme, the plaintiff had alleged the requisite harm for liability to attach, and that J.M. and the other students were the “ultimate” customers or beneficiaries of the defendant, even in the absence of any contractual relationship.
Provider Definition
Addressing whether Illuminate qualifies as a “provider of health care,” Liu turned to §56.06, which clarifies that the term refers to:
“Any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual.”
Saying that we will “[set] aside whether Illuminate is a ‘business organized for the purpose of maintaining medical information,’ ” Liu opined that “J.M. does not allege that….Illuminate makes medical information available to individuals in order to allow them to manage their information or that Illuminate provides medical information…for diagnosis and treatment”
Rejecting the view that the fact that dyslexia screening results are part of the records maintained by Illuminate puts the records within the ambit of the statutory scheme, he wrote:
“Apart from a sole reference to ‘access provided…to students and parents’ the entirety of J.M.’s allegations about Illuminate’s services focus on its provision of ‘educational software applications and technology support to the school districts’…in order to aid student assessment and educational planning.”
Acknowledging that “Section 56.06 was written broadly,” he said: “At the same time, we note that although the CMIA was designed to adapt to technological changes in the way medical information is stored and used, its scope has limits. This is reflected in the Legislature’s decision to include a specific definition of ‘providers of health care’ that does not sweep within its ambit any entity that stores medical information.”
Turning to what type of injury qualifies under the statutory scheme, he pointed out that the remedies provision of the law provides that “an individual may bring an action against a person or entity who has negligently released confidential information or records concerning him or her in violation of this part” and may seek either “nominal damages” of $1,000 or “the amount of [any] actual damages.” The jurist said:
“The Legislature’s inclusion of a ‘nominal’ remedy for persons who were not actually damaged…signals that liability under the statute focuses on the allegedly negligent conduct of the covered entity, not on the resulting harm to the plaintiff.”
Recognizing that eliminating the “actually viewed” requirement may open the door to liability in scenarios that may not comport with the legislative intent, such as if a thief steals a computer full of patient files but wipes the hard drive clean in order to pawn the device, he commented:
“Meanwhile, an ‘actually viewed’ standard would pose difficult problems of pleading and proof. Victims…are unlikely to know what an unauthorized party has done with their data unless they suffer actual damage…, and relevant information about the breach may often be in the possession of the covered entity….The difficulty of…proving actual viewing in many…scenarios suggests that such a standard may significantly enervate the…remedial statute.”
Middle Ground
Reasoning that the court’s “significant risk” rule finds a rational middle ground, he said:
“This standard is sufficiently flexible to distinguish between ‘smash and-grab hardware theft,’ where the unauthorized party seeks the hardware and not the data it contains, and conventional data breaches, where the unauthorized party is targeting the data for illicit use. It also provides a suitable standard for evaluating whether other negligent releases of medical information…result in a breach of confidentiality.”
Saying that a plaintiff must be “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business” under the CRA, he remarked that “J.M. has not alleged he has a customer relationship with Illuminate.”
Liu declared:
“We reverse the judgment of the Court of Appeal and remand this matter to the Court of Appeal for further proceedings consistent with our opinion. We leave it to the courts below to consider whether, in light of our holdings today, J.M. may be granted leave to amend his complaint if he so requests.”
Justice Martin N. Buchanan of Div. One of the Fourth District Court of Appeal, sitting by assignment, joined in the decision.
The case is J.M. v. Illuminate Education Inc., 2026 S.O.S. 1331.
Copyright 2026, Metropolitan News Company