WORK WITH US
Education Consulting Firm Was Liable For Breach of Confidentiality of Medical Information Act (CMIA)
J.M., an 11-year-old student, filed a class action lawsuit by his guardian ad litem, Jean Paul Magallanes, against Illuminate, an education consulting business. J.M. alleged that Illuminate received his personal and medical information from his school and its office of education in order to assist the school and evaluate his educational progress at school. Illuminate provides support to school districts by maintaining student medical records on its network and monitoring their progress and their “social-emotional behavior.” Illuminate was subject to a data breach, but only notified J.M. and other victims about the breach five months later. J.M. alleged that after the breach, he started receiving “solicitations from third parties” that were sent to an address that he had only provided to Illuminate through the office of education. J.M. argued that Illuminate’s negligence in maintaining its database and its delayed disclosure of the breach constituted violations of the Confidentiality of Medical Information Act (CMIA) and the Customer Records Act (CRA).
Illuminate filed a demurrer, asking the trial court to dismiss the case. Illuminate argued that it did not fall within the CMIA or CRA and that J.M. failed to state a cause of action. The trial court agreed. J.M. filed a proposed second amended complaint stating more facts, and a motion for reconsideration. The trial court sustained the demurrer without leave to amend and entered judgment in favor of Illuminate. J.M. appealed.
Illuminate argued that the CMIA did not apply to it because it was not involved in health care. The court of appeal disagreed and held that Illuminate fell within the scope of the CMIA. The court of appeal explained that the CMIA applies to any business that maintains medical information used “for the diagnosis” of an individual, or that provides “software or hardware” for that purpose. The CMIA also applies to a “recipient of medical information” and to “any other entity” that seeks an authorization for “disclosure of protected health information.”
The court of appeal held that J.M. had sufficiently stated a cause of action under the CMIA because he alleged that there was an agreement to safeguard information, Illuminate breached that agreement, Illuminate was negligent, and Illuminate failed to promptly notify the victims of the data breach for five months.
The court of appeal held that Illuminate also fell within the scope of the CRA. The CRA protects customers who do business with entitles that maintain their personal information. The CRA requires that businesses disclose security breaches that involve personal data. Businesses must disclose security breaches “in the most expedient time possible and without unreasonable delay.” The court of appeal held that J.M. also sufficiently stated a cause of action under the CRA, because he alleged that his confidential personal information was provided to Illuminate to evaluate his educational progress, that information was subject to a data breach, and he was the intended beneficiary under the CRA.
The court of appeal reversed the trial court’s judgment of dismissal and remanded the case to the trial court for further proceedings.
J.M. v. Illuminate Education, Inc. (July 25, 2024, No. B327683) ___Cal.App.5th___ [2024 Cal. App. LEXIS 471].
Note: Agencies and organizations that a district contracts with that are subject to the CMIA, such as health care providers and related entities, must protect consumer information and act consistent with legal requirements when there is a data breach. Districts should ensure their contracts with health and related service providers affirmatively state that the contractors will follow date privacy laws including but not limited to CIMA and CRA.