LEARN
MORE

California Supreme Court Clarifies Scope of CMIA and CRA Liability for Education Technology Vendors

CATEGORY: Private Education Matters
CLIENT TYPE: Private Education
DATE: Jul 01, 2026

On May 14, 2026, the California Supreme Court issued its decision in J.M. v. Illuminate Education, Inc., addressing the circumstances under which education technology vendors may be subject to liability under the Confidentiality of Medical Information Act (“CMIA”) and the Customer Records Act (“CRA”). The Court held that not every entity that stores or processes medical information qualifies as a “provider of health care” under the CMIA, and not every individual whose information is maintained by a business qualifies as a statutory “customer” under the CRA. The Court also clarified that a plaintiff asserting a CMIA confidentiality claim need not allege that confidential medical information was actually viewed by an unauthorized person.

The decision reverses a prior Court of Appeal ruling that had interpreted both statutes broadly and allowed the plaintiff’s claims against Illuminate Education, Inc. (“Illuminate”) to proceed.

Background

The case arose from a class action lawsuit filed by J.M., an 11-year-old student, through his guardian ad litem, against Illuminate, an education consulting and technology company that provides data management and student assessment services to school districts and county offices of education.

According to the complaint, Illuminate received J.M.’s personal and medical information from his school and county office of education to assist in evaluating his educational progress. Illuminate’s platform allegedly maintained student medical records and monitored student performance, including “social-emotional behavior.” Illuminate later experienced a data breach but allegedly did not notify affected individuals until approximately five months after the incident.

J.M. further alleged that, after the breach, he began receiving third-party solicitations at an address that had only been provided through educational records shared with Illuminate. Based on these allegations, J.M. asserted claims under the CMIA and CRA, alleging that Illuminate negligently maintained its database and failed to provide timely notice of the breach.

Illuminate demurred, arguing that it was not subject to either statute and that the complaint failed to state viable causes of action. The trial court agreed, sustained the demurrer without leave to amend, and entered judgment in Illuminate’s favor.

Court of Appeal Decision

The Court of Appeal reversed. It concluded that Illuminate fell within the scope of the CMIA because the statute broadly applies to entities that maintain medical information, provide related software or hardware, receive medical information, or otherwise handle protected health information. The court held that J.M. sufficiently alleged a CMIA claim by asserting that Illuminate had a duty to safeguard medical information, breached that duty through negligent data security practices, and failed to timely notify affected individuals of the breach.

The Court of Appeal also held that Illuminate could be subject to the CRA, which requires businesses maintaining personal information to disclose data breaches “in the most expedient time possible and without unreasonable delay.” The court concluded that J.M. adequately stated a claim because his personal information was disclosed to Illuminate for educational purposes and allegedly compromised in the breach.

Supreme Court Decision

The California Supreme Court reversed the Court of Appeal’s decision and adopted a narrower interpretation of both statutes.

CMIA

The Supreme Court held that the Court of Appeal interpreted the CMIA too broadly by extending the statute to entities that merely possess or store medical information for educational purposes. The Court concluded that Illuminate was not sufficiently alleged to be a “provider of health care” under Civil Code section 56.06 because its platform primarily supported educational functions, including dyslexia screening, student progress monitoring, and educational planning for school districts and educators, rather than medical diagnosis, treatment, or patient-controlled health record management.

The Court also rejected alternative arguments that Illuminate qualified as a covered entity under other CMIA provisions, finding that the complaint did not sufficiently allege that Illuminate received medical information pursuant to a qualifying authorization or otherwise fell within the statute’s coverage.

CRA

The Court similarly concluded that the Court of Appeal interpreted the CRA too expansively. The Supreme Court held that J.M. was not a statutory “customer” under the CRA because the Ventura County Office of Education, not J.M., contracted with Illuminate and provided the student information at issue. As a result, J.M. lacked standing to pursue a CRA claim against Illuminate.

CMIA Confidentiality Standard

Although the Court narrowed the scope of entities and individuals covered under the CMIA and CRA, it also clarified the standard for pleading a CMIA confidentiality violation under Civil Code section 56.101.

Rejecting prior appellate decisions that required plaintiffs to show confidential medical information was “actually viewed” by an unauthorized person, the Court held that a breach of confidentiality may occur when medical information is exposed to a significant risk of unauthorized access or use, regardless of whether anyone actually viewed the information.

The Court explained that relevant considerations may include:

  • the nature, duration, and extent of the breach;
  • whether the data was specifically targeted;
  • the likelihood of unauthorized access or misuse; and
  • mitigation efforts undertaken following the incident.

The Court further emphasized that negligent loss of possession alone is neither automatically sufficient nor automatically insufficient to establish liability, and that courts must evaluate the totality of the circumstances.

J.M. v. Illuminate Education, Inc. (May 14, 2026) ___Cal.5th___ [2026 Cal. WL 1340681].

Note: Although the Supreme Court narrowed the categories of entities and individuals that may pursue claims under the CMIA and CRA, the decision also clarified that plaintiffs need not allege confidential medical information was actually viewed by an unauthorized person to state a CMIA confidentiality claim. Whether a school, educational institution, or third-party vendor falls within the scope of these statutes may depend on the nature of the services provided and the entity’s role in collecting, maintaining, or using medical information. Schools, school districts, and organizations that contract with educational technology providers should continue to protect confidential medical information and comply with applicable breach notification requirements. Educational institutions should also ensure that contracts with third-party providers expressly require compliance with applicable data privacy laws, including the CMIA and CRA, and clearly allocate responsibility for data security, incident response, and breach notification obligations.

View More News

Private Education Matters
California Court of Appeal Revives Disabled Law Student’s Unruh Act Claim Against Volunteer Professor
READ MORE
Private Education Matters
Court Finds that Disagreement with Bullying Investigation Does Not Establish Disability Discrimination At Private Girls School
READ MORE