In a landmark ruling with sweeping implications for data privacy litigation in California, the state Supreme Court has established a new legal standard for victims of medical data breaches — one that significantly lowers the evidentiary bar plaintiffs must clear to bring claims under the state’s Confidentiality of Medical Information Act.
The court held Thursday that a plaintiff does not need to prove that an unauthorized party actually read their exposed medical records. Instead, it is sufficient to show that a breach exposed a user’s information to “a significant risk of unauthorized access.” In doing so, the justices unanimously disapproved a line of appellate decisions that had imposed the more demanding “actually viewed” requirement — a standard critics had long argued made it nearly impossible for breach victims to vindicate their rights.
The unanimous opinion, authored by Justice Goodwin H. Liu, arose from a putative class action lawsuit against Illuminate Education Inc., a San Diego-based educational technology company that provides software applications and administrative platforms to school districts across California. The decision simultaneously resolved a secondary question — whether Illuminate could be considered a “provider of health care” under the CMIA — and a third issue concerning the company’s potential liability under the state’s Customer Records Act.
The court’s answer on all three fronts produced a mixed result. While the “significant risk” standard represents a significant expansion of victim rights in data breach litigation generally, the court ultimately held that the plaintiff’s claims against Illuminate could not survive a pleading challenge, reversing the Court of Appeal’s decision to reinstate the lawsuit and remanding for further proceedings.
Background: A Data Breach, a Minor Plaintiff, and a Putative Class
The case began in June 2022, when a minor identified in court filings only as “J.M.,” represented by his guardian ad litem Jean Paul Magallanes, filed a putative class action complaint against Illuminate Education Inc. The company had notified students and families that it experienced a data breach on or around December 28, 2021, potentially compromising the records of students enrolled in multiple California school districts that used its platforms.
Illuminate’s software suite is used by school districts to track student assessments, academic progress, and learning plans. Among the categories of student data maintained by the company were records of health-related educational evaluations — including screenings for conditions such as dyslexia — which J.M.’s complaint characterized as medical information subject to CMIA protections.
On behalf of a putative class of all California citizens “registered with their school districts on or before December 28, 2021, and who received notices” of the data breach, J.M. asserted claims under the Customer Records Act and under sections 56.10 and 56.101 of the CMIA.
Section 56.10 provides that “[a] provider of health care…shall not disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization.” Section 56.101 similarly mandates that “[e]very provider of health care…who…stores…medical information shall do so in a manner that preserves the confidentiality of the information contained therein.”
Illuminate responded by demurring, arguing that it did not qualify as a “provider of health care” under the CMIA, that J.M. was not its “customer” within the meaning of the CRA, and that the plaintiff had failed to allege sufficient injuries under either statute.
J.M. lodged an amended complaint in response to those arguments, adding new allegations aimed at shoring up his claims. Notably, he alleged that his information had actually been viewed by unauthorized parties because he had “received numerous phone calls from solicitors” following the asserted breach — an attempt to satisfy what courts had previously required under the “actually viewed” standard.
Ventura Superior Court Judge Benjamin F. Coats was unpersuaded. In February 2023, Judge Coats sustained Illuminate’s demurrer without leave to amend. J.M. appealed, and Division Six of the Second District Court of Appeal reversed in July 2024. The appellate panel ruled that Illuminate is covered by CMIA’s scheme, that J.M. had adequately alleged the requisite harm for liability to attach, and that J.M. and his fellow students were the “ultimate” customers or beneficiaries of Illuminate even in the absence of any direct contractual relationship with the company.
Illuminate petitioned for review, and the Supreme Court agreed to take up the case.
The “Actually Viewed” Standard and Its Critics
Before Thursday’s ruling, California courts had been divided — or at least inconsistent — on what a plaintiff must allege to state a CMIA claim based on a data breach. A line of Court of Appeal decisions had held that a plaintiff must prove the leaked information was “actually viewed” by an unauthorized third party.
In Regents of the University of California v. Superior Court, 220 Cal.App.4th 549, Sutter Health v. Superior Court, 227 Cal.App.4th 1546, and Vigil v. Muir Medical Group IPA, Inc., 84 Cal.App.5th 197, appellate courts had required this actual-viewing proof before finding that a breach of confidentiality had occurred under the statute.
Privacy advocates and plaintiffs’ attorneys had long argued this standard placed an impossible burden on breach victims. In the overwhelming majority of data breach cases, a plaintiff would have no way of knowing whether an unauthorized party had opened, read, or made use of their records. That information, if it existed at all, would typically reside with the breached entity — not the injured individual.
Justice Liu acknowledged this practical reality directly in Thursday’s opinion, writing that victims of data breaches “are unlikely to know what an unauthorized party has done with their data unless they suffer actual damage…, and relevant information about the breach may often be in the possession of the covered entity.” He further observed that “[t]he difficulty of…proving actual viewing in many…scenarios suggests that such a standard may significantly enervate the…remedial statute.”
The New Standard: “Significant Risk of Unauthorized Access”
In place of the “actually viewed” requirement, the court adopted what it described as a more balanced test. “[I]n order to establish a failure to preserve the confidentiality of medical information under the CMIA,” Liu wrote, “a plaintiff does not need to allege that the information was actually viewed by an unauthorized third party,” and “confidentiality is breached when the information is exposed to a significant risk of unauthorized access or use.”
In doing so, the court explicitly disapproved Regents, Sutter Health, and Vigil “to the extent they are inconsistent with this opinion.”
To illustrate how the new rule operates in practice, Liu drew a distinction between different categories of breach scenarios. A “smash-and-grab hardware theft,” where a criminal steals a laptop or server primarily for its hardware value and not for any data it contains, would likely not satisfy the “significant risk” threshold. By contrast, a conventional data breach — where a malicious actor specifically targets and extracts stored data for illicit use — would plainly present a significant risk of unauthorized access.
The new standard, Liu explained, “is sufficiently flexible to distinguish between ‘smash-and-grab hardware theft,’ where the unauthorized party seeks the hardware and not the data it contains, and conventional data breaches, where the unauthorized party is targeting the data for illicit use. It also provides a suitable standard for evaluating whether other negligent releases of medical information…result in a breach of confidentiality.”
The court also pointed to the statutory remedy structure as confirmation that the legislature did not intend to require proof of actual harm. The CMIA’s remedies provision allows an individual to recover either “nominal damages” of $1,000 or the amount of any actual damages. As Liu explained: “The Legislature’s inclusion of a ‘nominal’ remedy for persons who were not actually damaged…signals that liability under the statute focuses on the allegedly negligent conduct of the covered entity, not on the resulting harm to the plaintiff.”
Justice Groban’s Concurrence: Defining the Limits of “Significant Risk”
Justice Joshua P. Groban penned a separate concurring opinion specifically to “elaborate on the scope of the ‘significant risk of unauthorized access or use’ standard the majority adopts” — an apparent effort to ensure the new rule is not interpreted so broadly as to swallow any meaningful pleading requirement.
Groban cautioned that the standard “must…have some force: It cannot be satisfied by mere speculation or a theoretical possibility of access inherent any time data comes into the possession of an unauthorized third party.”
Instead, he wrote, “a ‘significant risk’ must be grounded in facts showing that unauthorized access to or use of the data is reasonably likely under the circumstances.” Groban further indicated that the standard would not be met “where the surrounding facts make access or use unlikely — for example, where stolen data is protected by robust encryption.”
The concurrence signals that defendants in future cases may have viable arguments against CMIA liability where they can demonstrate that breached data was sufficiently encrypted or otherwise secured at the time of the exposure.
Illuminate’s Status as a “Provider of Health Care”
Despite its broad holding on the “significant risk” standard, the court ruled that J.M. had not stated a valid claim against Illuminate because the company does not qualify as a “provider of health care” within the meaning of the CMIA.
The critical definition is found at Civil Code §56.06, which extends the “provider of health care” designation to:
“Any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual.”
Liu acknowledged the threshold question of whether Illuminate is “a business organized for the purpose of maintaining medical information” but declined to resolve it, instead focusing on the second prong of the definition. He wrote that “J.M. does not allege that….Illuminate makes medical information available to individuals in order to allow them to manage their information or that Illuminate provides medical information…for diagnosis and treatment.”
J.M. had argued that because dyslexia screening results were among the records Illuminate maintained, those records fell within the ambit of the CMIA. The court was unpersuaded. Setting aside a sole reference to “access provided…to students and parents,” Liu observed that “the entirety of J.M.’s allegations about Illuminate’s services focus on its provision of ‘educational software applications and technology support to the school districts’…in order to aid student assessment and educational planning.”
The court acknowledged that “Section 56.06 was written broadly,” but added an important qualification: “Although the CMIA was designed to adapt to technological changes in the way medical information is stored and used, its scope has limits. This is reflected in the Legislature’s decision to include a specific definition of ‘providers of health care’ that does not sweep within its ambit any entity that stores medical information.”
The ruling suggests that the mere incidental storage of health-adjacent data — such as educational disability screening records — will not, without more, transform a technology company into a CMIA-regulated “provider of health care.”
The Customer Records Act Claim
J.M.’s parallel claim under the Customer Records Act fared no better. The CRA requires that a plaintiff be “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.” Liu concluded that “J.M. has not alleged he has a customer relationship with Illuminate.”
The Court of Appeal had held that students were the “ultimate” customers or beneficiaries of Illuminate’s services, even without a direct contractual relationship. The Supreme Court rejected that reasoning. The school districts — not the students — are Illuminate’s clients. Students are the subjects of the data, not the purchasers of the service.
Disposition and What Comes Next
The court reversed the Court of Appeal’s judgment and remanded the matter for further proceedings. Crucially, the Supreme Court left open the possibility that J.M. may be granted leave to amend his complaint: “We leave it to the courts below to consider whether, in light of our holdings today, J.M. may be granted leave to amend his complaint if he so requests.”
That language invites J.M. — and by extension, counsel for the putative class — to recraft the complaint in light of the court’s guidance. A revised complaint might, for example, include more specific allegations about whether Illuminate makes medical information available to students or parents for purposes of managing their health information, or allege facts sufficient to establish a customer relationship under the CRA.
Justice Martin N. Buchanan of Division One of the Fourth District Court of Appeal, sitting by assignment, joined in the decision.
The case is J.M. v. Illuminate Education Inc., 2026 S.O.S. 1331. If you want to protect against CMIA, CDA, CIPA, CCPA, ECPA and other privacy lawsuits then Captain Compliance is the company for you. Book a demo below to learn more about how we can help you.
