J.M. v. Illuminate Educ., Inc.

323 Cal.Rptr.3d 605

J.M., a Minor, etc., Plaintiff and Appellant,

v.ILLUMINATE EDUCATION, INC., Defendant and Respondent.

2d Civ. No. B327683

Court of Appeal, Second District, Division 6.

Filed July 25, 2024

Benjamin F. Coats, Judge, Superior Court County of Ventura (Super. Ct. No. 56-2022-00567324-CU-MC-VTA) (Ventura County)

Potter Handy, Mark D. Potter, and James M. Treglio, San Diego, for Plaintiff and Appellant.

Kirkland & Ellis, Devin S. Anderson, Cynthia Love and David R. Williams, Los Angeles, for Defendant and Respondent.

GILBERT, P. J.

The Confidentiality of Medical Information Act (CMIA) protects confidential medical information. Here we decide its reach extends beyond medical providers.

J.M., a minor, by his guardian ad litem Jean Paul Magallanes, appeals a judgment of dismissal following the sustaining of a demurrer without leave to amend on his class action lawsuit against defendant Illuminate Education, Inc. (Illuminate). He claims Illuminate violated the CMIA (Civ. Code,¹ § 56 et seq.) and the Customer Records Act (CRA) (§ 1798.80 et seq.).

We conclude, among other things, that: 1) Illuminate falls within the scope of the CMIA and CRA; 2) J.M. stated sufficient facts to state causes of action under the CMIA and CRA; and 3) the trial court abused its discretion by sustaining the demurrer without leave to amend. We reverse and remand. J.M. may file an amended complaint in which he alleges additional facts.

FACTS

J.M., an 11-year-old student, filed a class action lawsuit by his guardian ad litem Jean Paul Magallanes, against Illuminate, an education consulting business. He alleged Illuminate obtained possession of his personal and medical information from his school and its office of education so that it could assist the school and evaluate his educational progress at the school. Illuminate promised to maintain that information confidentially, but it negligently maintained its database. Because of a data breach, a cyber hacker gained access to that personal information.

Illuminate did not promptly notify J.M. and other victims about the breach. It provided specific notice about the breach involving his personal information five months after the breach. After the data breach, J.M. started receiving "solicitations by mail from third parties" that were sent to "an address [J.M.] only provided to [Illuminate] through the Office of Education."

J.M. alleged Illuminate’s negligence in maintaining its database and its delayed disclosure of the breach constituted violations of the CMIA and CRA (§§ 56 et seq., 1798.80 et seq.), and he sought damages and injunctive relief.

Illuminate demurred claiming it did not fall within the CMIA or CRA and J.M. failed to state a cause of action.

The trial court sustained the demurrer. J.M. filed a proposed second amended complaint stating more facts about Illuminate and the harm caused by the delayed notification of the data breach. He filed a motion for reconsideration.

The trial court reviewed J.M.’s amended pleadings and concluded that he had not stated a cause of action and he could not amend to state a cause of action. It sustained the demurrer without leave to amend and entered judgment for Illuminate.

DISCUSSION

[1, 2] "A demurrer tests the sufficiency of the plaintiff’s complaint, i.e., whether it states facts sufficient to constitute a cause of action upon which relief may be granted." (Seidler v. Municipal Court (1993) 12 Cal.App.4th 1229, 1233, 16 Cal.Rptr.2d 90.) "A demurrer should not be sustained without leave to amend if the complaint states a cause of action under any theory or if there is a reasonable possibility the defect can be cured by amendment." (Ibid.) The allegations of a pleading must be "liberally construed, with a view to substantial justice between the parties." (Code Civ. Proc., § 452; American Telephone & Telegraph Co, v. California Bank (1943) 59 Cal. App.2d 46, 53,138 P.2d 49.)

Does Illuminate Fall Within the Scope of the CMIA ?

[3] J.M. alleged facts showing that Illuminate is an entity that falls within the scope of the CMIA. The CMIA "prohibits health care providers and related entities from disclosing medical information regarding a patient without authorization except in certain specified instances." (Regents of the University of California v. Superior Court (2013) 220 Cal.App.4th 549, 553, 163 Cal.Rptr.3d 205 (Regents of University), italics added.) A plaintiff may bring an action for damages against an entity that "negligently released confidential medical information concerning him or her in violation of CMIA." (Ibid.)

The CMIA broadly applies to the entities that possess or store confidential medical information, including providers of health care, health care service plans, and contractors. (§ 56.10, subd. (a).) It also applies to "[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or a provider of health care" or "for the diagnosis and treatment of the individual." (§ 56.06, subd. (a).) Such a business "shall be deemed to be a provider of health care subject to the requirements" of the CMIA. (Ibid.) This includes businesses that supply "software or hardware" to "maintain medical information," (Id., subd. (b).) The inclusion of the broad scope of entities that maintain this information is to (1) protect this information, and (2) require those who have it to act "in a manner that preserves the confidentiality of that information." (Regents of University, supra, 220 Cal. App.4th at p. 553, 163 Cal.Rptr.3d 205.)

J.M, alleged that Illuminate is an "education company" that provides "support" for school districts by maintaining student medical records on its "computer network," Illuminate monitors the progress of students K-12 and their "social-emotional behavior." Its services are provided to meet " ‘the unique needs of students who require additional supports in order to succeed.’" To perform its functions, Illuminate uses student medical information and "the diagnosis and treatment plans of children" to "diagnose students’ needs" and monitor their progress. Illuminate obtained J.M.’s medical records with the understanding that it would maintain them confidentially in its services to evaluate his educational performance. J.M. alleged that because of its storage and use of confidential medical records to perform its services, Illuminate falls within the scope of the CMIA.

In a proposed second amended complaint, J.M. alleged Illuminate "primarily works with school districts to provide assistance with special education and mental health services" and it maintains "mental health records of children." (Italics added.) Illuminated system is "licensed to 5,000 schools nationally and has a total enrollment of approximately 17 million students."

[4] School districts maintain student medical records for a variety of reasons. They are authorized to hire "physicians as full-time supervisors of health" and to provide ambulance care. (Ed. Code, §§ 49472, 49474.) They are required to "assess" a child’s disabilities (D.O. ex rel Walker v. Escondido Union School Dist (9th Cir. 2023) 59 F.4th 394, 405); to provide medical care at sports events. (Brown v. El Dorado Union High School Dist. (2022) 76 Cal.App.5th 1003, 1032, 292 Cal.Rptr.3d 72); and to cooperate with local health officials in preventing communicable diseases. (Let Them Choose v. Sun Diego Unified School Dist (2022) 85 Cal.App.5th 693, 708, 301 Cal.Rptr.3d 667.) When school districts share this medical information with entities such as Illuminate that has a large database, the CMIA’s confidentiality provisions are necessarily triggered.

Illuminate contends the CMIA does not apply to it because it is not involved in health care. J.M. alleges that Illuminate provides assistance to school districts by evaluating students with "social-emotional behavior" issues by using their medical records. Illuminate assists schools’ mental health services and maintains children’s mental health records. The statute includes entities that maintain medical records for the "diagnosis and treatment" of the individual. (§ 56.06, subd (a).) J.M. alleges Illuminate is diagnosing the educational progress of children with learning disabilities and mental health issues based on their medical records.

Illuminate argues it is not covered by the CMIA’s definition of a "provider of health care," a "health care service plan," or a "contractor." (§ 56.10, subd. (a).) A "contractor" is defined as a medical group, an independent practice association, pharmaceutical benefits manager, or a medical service organization. (§ 56.05, subd. (d).)

The Legislature did not confine the CMIA’s scope to these medical groups. In 2013 it amended the statute to expand the definition of a "provider of health care" to include "any business" that maintains medical information used "for the diagnosis" of an individual (§ 56.06, subds. (a) & (b)), or that provides "software or hardware" for that purpose (id., subd. (b)). This "amendment was intended to ensure that the CMIA would apply to all [personal health record] vendors that maintain medical information … whether or not the business was organized for that purpose." (Tiffany II et al., The Doctor Is In, But Your Medical Information Is Out Trends In California Privacy Cases Relating to Release of Medical Information (2015) 24, No. 1 Cal. State Bar J. 206, 225; see also Laps. Counsel’s Dig., Assam. Bill No. 658 (2013-2014 Reg. Sess.) 7 Stats. 2013, pp. 2611-2612.) The CMIA also applies to "[a] recipient of medical information" (§ 56.13) and to a "provider of health care, health care service plan, pharmaceutical company, contractor, or any other entity" that seeks an authorization for "disclosure of protected health information." (§ 56.11, subd. (c), italics added.)

[5–7] The CMIA is a remedial statute. "Remedial and protective statutes will be liberally interpreted to advance their clear purposes." (Fitch v....