Background
Illuminate Education, an ed-tech company, provided a data platform used by school districts across California. In 2022, a data breach exposed confidential information for millions of K-12 students, including medical and health records maintained as part of their educational files. Affected students and their guardians filed suit, asserting claims under the Confidentiality of Medical Information Act (CMIA) and the Customer Records Act (CRA), among other statutes.
The trial court sustained Illuminate’s demurrers. The Court of Appeal affirmed in part, holding that Illuminate was not a “provider of health care” under the CMIA because it merely stored data without providing health-care services, and that students were not “customers” under the CRA because they did not purchase anything from Illuminate. The California Supreme Court granted review on both issues — and on the broader question of what constitutes a “breach of confidentiality” under the CMIA.
The Court’s Holding
The California Supreme Court affirmed in part and reversed in part. It agreed that, on the facts alleged, Illuminate is not a “provider of health care” under the CMIA — a company that merely stores medical information as part of an education platform does not thereby become a health-care provider. The Court also agreed that students are not “customers” of Illuminate under the CRA, because that statute requires a direct transactional relationship.
However, the Court announced a major new standard for what constitutes a “breach of confidentiality” under the CMIA. Rejecting the so-called “actually viewed” rule — which required plaintiffs to prove that an unauthorized person actually saw the disclosed information — the Court held that a breach of confidentiality occurs whenever medical information is exposed to a significant risk of unauthorized access or use. The Court expressly disapproved three Court of Appeal decisions (Regents of the University of California v. Superior Court, Sutter Health v. Superior Court, and Vigil v. Muir Medical Group) that had imposed the “actually viewed” requirement.
Justice Groban concurred, agreeing with the new standard but writing separately to urge that leave to amend should not have been granted on the CMIA claim.
Key Takeaways
- A company that stores medical information as part of a non-health-care platform (such as an educational data system) is not automatically a “provider of health care” under the CMIA.
- Students who do not directly transact with a data vendor are not “customers” under the Customer Records Act.
- The “actually viewed” standard for CMIA breach-of-confidentiality claims is dead. Plaintiffs now need only show their medical information was exposed to a significant risk of unauthorized access or use.
- Three Court of Appeal decisions — Regents, Sutter Health, and Vigil — are expressly disapproved, eliminating a major defense in data breach litigation.
- Entities that handle medical information should evaluate their exposure under the new, plaintiff-favorable standard, which could open the door to liability even when no actual misuse is proven.
Why It Matters
This decision fundamentally changes the landscape of medical data breach litigation in California. Under the old rule, defendants in CMIA cases could defeat claims by arguing that no unauthorized person ever actually accessed the exposed data — a nearly impossible hurdle for plaintiffs. The new “significant risk” standard aligns the CMIA with the practical reality of data breaches, where proving that a specific person viewed specific records is often infeasible.
For businesses that handle any medical or health-related data — including ed-tech companies, HR platforms, and insurance administrators — the holding means that a breach exposing such data to potential unauthorized access can itself give rise to CMIA liability, regardless of whether misuse is shown. California practitioners should advise clients to revisit data security protocols and insurance coverage in light of this expanded exposure.