We have not written much on data privacy lately, but it remains a hot topic and one that changes rapidly as governments around the world (including numerous U.S. states) enact new data privacy laws. One thing that has not changed is the standard for proving a data privacy breach under California’s medical confidentiality statutes. For nearly ten years, that standard has been set by a duo of California opinions, Regents and Sutter Health, which held that a breach of confidentiality under the California Confidentiality of Medical Information Act (“CMIA”) requires that an unauthorized person actually view confidential patient information. A mere loss of possession of confidential information is not sufficient. Someone has to actually see it. No harm, no foul. We gave you our take on those two cases here and here.
That duo of cases is now a trilogy. In Vigil v. Muir Medical Group IPA, 84 Cal. App. 5th 197 (2022), the California Court of Appeal re-affirmed that a private right of action alleging breach of healthcare confidentiality has to involve an actual breach of confidentiality. In Vigil, the defendant independent practice association notified certain patients that a former employee downloaded and took with her information for about 5,400 patients. Id. at 205-06. The plaintiff received the notice and filed a class action complaint alleging a data privacy breach and multiple causes of action, including negligence and violations of the CMIA. Id.
You would think that the sufficiency of a plaintiff’s case would come up on the pleadings or a motion for summary judgment. But here it actually arose on the plaintiff’s motion for class certification, where she argued that the former employee’s alleged access to and retention of the patient information provided a basis for classwide relief. Id. at 206. The trial court denied that motion and concluded that “[l]iability for each class member is predicated on whether his or her information was actually viewed, which on these facts is not capable of resolution in the aggregate.” Id. at 207 (emphasis in original).
The California Court of Appeal agreed, in basically a two-part analysis. First, the court noted that the CMIA provides a private right of action against anyone who has “negligently released” confidential medical information or records. Id. at 208. The court then analyzed Regents and Sutter Health and concluded that they correctly held that a negligent release requires a breach of confidentiality through an unauthorized person actually viewing confidential information. Citing Regents, the court reasoned,
[E]ven under this broad interpretation of “release,” pleading loss of possession [of confidential information] was insufficient to state a cause of action . . . . “What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff’s medical information was breached as a result of the health care provider’s negligence.”
Id. at 210. The later Sutter Health opinion confirmed that a breach of confidentiality is required “and it clarified that ‘[n]o breach of confidentiality takes place until an unauthorized person views the medical information.’” Id. That is because “[i]t is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act.” Id. at 211 (internal quotes omitted).
The plaintiff in Vigil provided no reason to depart from this precedent. The cases uniformly held that a mere loss of possession of confidential information was insufficient to show a negligent release. Moreover, while the plaintiff argued that she and other putative class members would have to prove only that an unauthorized person downloaded or copied confidential medical information (as opposed to actually viewing it), the court concluded that the plaintiff “fail[ed] to present any cogent argument or legal authority in support of this conclusion.” Id. at 217. The court also noted the absurdity of the plaintiff’s position. Citing Sutter Health, the court noted that under the plaintiff’s argument, the theft of a computer hard drive containing information for 4 million patients would result in liability of at least $4 billion, even if the thief never viewed the information. Id. at 217-18. The court concluded that it did “not believe that the Legislature intended such an extreme result.” Id. at 218.
Second, having held that a breach of confidentiality under the CMIA requires a showing that an unauthorized person viewed the confidential information at issue, the Court of Appeal addressed class certification. It held that proof of a confidentiality breach is an individualized issue. The plaintiff argued that class members would have to prove only that the released information concerned them. But that is just another way of saying that the mere change of possession of confidential information constitutes a breach, which the authorities unanimously reject. In the end, “there is no release . . . in violation of [the CMIA] if the confidential nature of the information was not breached,” and that cannot happen unless someone actually views it. Id. at 220.
The trial court therefore correctly ruled that a breach of confidentiality is an issue individual to each patient and that individual issues predominated over common issues. Id. at 220-21. Even if the plaintiff had evidence that the defendant’s former employee viewed some of the information that she purportedly downloaded and kept, there was no evidence indicating whose information she viewed. There likewise was no evidence of any public disclosure or that any other unauthorized person might have viewed the information. Determining whose confidential information was viewed (if any) and by whom (if anyone), and whether the defendant’s negligence caused any confidentiality breach (if there was one), could be determined only on a class member by class member basis. Id. at 221. Class certification denied in this case—and given Vigil’s rationale, in most any other case under the CMIA.
We call this a two-fer. One opinion coming out the correct way on two important issues: The standard for a data privacy breach lawsuit under the CMIA and class certification.