In Vigil v. Muir Med. Grp. Ipa, No. A160897, 2022 Cal. App. Unpub. LEXIS 5858, at *17-32 (Sep. 26, 2022), the California Court of Appeal affirmed denial of class certification in a CMIA data breach case because each classmember would have to prove that an unauthorized party viewed the confidential information. The data breach facts were as follows. Muir is an independent practice association that consists of primary care and specialty care providers that provide medical services to patients through the John Muir Health system. In May 2018, Ute Burness, Chief Executive Officer of Muir, notified certain patients that their personal information may have been involved in a data breach that occurred in December 2017. According to Burness, Muir discovered in March 2018 that a former employee took with her certain information in the possession of Muir before her employment ended with Muir (the data breach). The letter stated that Muir conducted an investigation, and “there is no evidence to date that your personal information has been misused in any way.” Vigil was one of the patients. The trial court granted Muir’s motion to file under seal some portions of the class certification papers and the supporting evidence. Accordingly, we will not divulge the content of the sealed portions of the record (Cal. Rules of Court, rule 8.46(b)(1)), which largely concern Muir’s internal investigation of who received this notice. [*3] Muir later admitted that the former employee, Myrissa Centeno, had downloaded copies of information for over 5,400 patients that included insurance and clinical information. In July 2018, Vigil filed a class action complaint asserting causes of action for violation of the Customer Records Act (CRA) ( 1798.80 et seq.), violation of the CMIA ( 56 et seq.), unlawful and unfair business practices under the Unfair Competition Law (UCL) (Bus. & Prof. Code, 17200 et seq.), and negligence. The UCL claim was predicated on the statutory and negligence claims. The complaint alleged that under the Health Insurance Portability and Accountability Act’s (HIPAA) Security Management Process standard (45 C.F.R. 164.308), Muir’s employees should not have had access to records concerning approximately 5,500 patients without a “compelling” reason, nor should they have been able to take sensitive patient information with them. The complaint sought compensatory and punitive damages for Muir’s alleged negligence in failing to secure plaintiffs’ personal information.
The Court of Appeal affirmed denial of class certification.
Vigil first argues that under Regents, confidential information that is “viewed, published, accessed, downloaded, copied, or otherwise ‘permitted[]toescape from its normal place of storage’ ” is “released” within the meaning ofsection 56.36, subdivision (b), and that a plaintiff need only show that the health care provider negligently “released” the confidential medical information to establish a claim under sections 56.36, subdivision (b), and 56.101, subdivision (a). She asserts that Sutter Health wrongly narrowed the Regents standard for a negligent release claim by requiring a showing that an unauthorized party “actually viewed” the confidential medical information to prove a breach of confidentiality. Based on the statute’s plain language, we agree with Sutter Health that a breach of confidentiality under the CMIA requires a showing that an unauthorized party viewed the confidential information. The CMIA does not define the term “confidential,” but the ordinary meaning of the word supports Sutter Health’s “viewed” requirement. (Angelucci v. Century Supper Club (2007) 41 Cal.4th 160, 168 [“In interpreting a statute, we first consider its words, giving them their ordinary meaning and construing them in a manner consistent with their context and the apparent purpose of the legislation”].) The common or ordinary dictionary definition of “confidential” is “private” or “secret.” (See, e.g., Black’s Law Dict. (11th ed. 2019) p. 373, col. 1 [“meant to be kept secret]; Webster’s Third New International Dict. (1961) p. 158, col. 1 [“private, secret”].) Thus, under the ordinary meaning of “confidential,” the confidential nature of information is not breached unless the information is reviewed by unauthorized parties. This construction is consistent with the purpose of the CMIA to protect patients’ privacy. (See Brown v. Mortensen (2011) 51 Cal.4th 1052, 1071 [“[T]he interest protected by [the CMIA] is an interest in informational privacy”].) Moreover, we also agree with Sutter Health’s reasoning that section 56.101, subdivision (a), which allows a health care provider to “dispose” of or “abandon” medical information so long as the confidentiality of that information is preserved, indicates the Legislature did not intend to “impose[] liability if the health care provider simply loses possession of the medical records.” (Sutter Health, supra, 227 Cal.App.4th at p. 1556.) A breach of confidentiality thus entails more than mere loss of possession and does not “take[] place until an unauthorized person views the medical information.” (Id. at p. 1557.) Vigil presents no basis for departing from Sutter Health. We disagree that Sutter Health “narrow[ed]” Regents by requiring more than mere loss of possession of medical records to establish a breach of confidentiality. After noting that the plaintiff could not “allege her medical records were, in fact, viewed by an unauthorized individual,” the Second District held her pleading was “deficient” because it amounted to no “more than an allegation of loss of possession by the health care provider.” (Regents, supra, 220 Cal.App.4th at p. 570.) Indeed, as the court in Regents stated, loss of possession is not necessarily required. “[A] breach of confidentiality, of course, can occur whether or not the information remains in the actual possession of the health care provider.” (Regents, supra, 220 Cal.App.4th at p. 570, fn. 14.) It is an unauthorized person’s viewing and/or use of another’s medical records that violates the latter’s interest in privacy of the information they contain. Vigil relies on Regents’ plain meaning construction of the term “release”-“permit[ting] [the confidential information] to escape or spread from its normal place of storage” and “allow[ing] it to be accessed” by an unauthorized party-as support for her argument. However, Regents does not stand for the proposition that mere loss of possession is sufficient on its own to prove a breach of confidentiality under sections 56.101, subdivision (a), and 56.36, subdivision (b). The Regents court opined that providing an unauthorized party access to confidential information “may” support a negligent release claim under the CMIA. (Regents, supra, 220 Cal.App.4th at p. 565.) But Regents expressly held that mere loss of possession was insufficient to establish a “release,” even under a “broad interpretation” of that term. (Id. at p. 570.) By “release” in section 56.36, subdivision (b) “as incorporated into section 56.101,” the Legislature intended “more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information.” (Regents, at p. 570.) Vigil points to other sections of the CMIA that use the term “release” as support for her argument that the Legislature intended section 56.36, subdivision (b), to refer to the actions of the custodian in “surrendering” or “mak[ing] available” private medical information to third parties. But those sections set forth the circumstances in which a health care provider may release medical information to the patient or to third parties; they do not impose liability on the health care provider for its “negligence.” (Compare 56.101, subd. (a) with 56.11, 56.104, 56.07.) Muir, on the other hand, contends that the Legislature’s use of the word “negligently” in sections 56.101 and 56.36 supports the conclusion in Regents and Sutter Health that a breach of confidentiality under the CMIA requires more than a release of confidential information. We agree. . . . Vigil contends Sutter’s reliance on the “duty of confidential[ity] that pervades CMIA” is misplaced because some courts have recognized that a breach of confidentiality can occur when the information is merely “disclosed” or “disseminated,” regardless of whether unauthorized parties viewed the information. But the cases Vigil cites as support for this argument do not address the CMIA and are inapposite. None stand for the proposition that confidentiality is automatically breached whenever the confidential information is disseminated to unauthorized parties. In U.S. Dept. of Justice v. Landano (1993) 508 U.S. 165, cited by Vigil, the court addressed the meaning of “confidential source” as used in an exemption from disclosure under the federal Freedom of Information Act (FOIA) for records compiled by criminal law enforcement authorities in the course of a criminal investigation. (Landano, at p. 167.) The exemption applies if the release of criminal investigation records ” ‘could reasonably be expected to disclose’ the identity of, or information provided by, a ‘confidential source.’ ” (Ibid.) In rejecting the defendant’s argument “that a source is ‘confidential’ for purposes of [the exemption] only if the source can be assured, explicitly or implicitly, that the source’s cooperation with the Bureau will be disclosed to no one,” the court concluded “this cannot have been Congress’ intent.” (Id. at p. 171.) To read “confidential source” as meaning one given “[a] promise of complete secrecy” would mean “the FBI agent receiving the source’s information could not share it even with other FBI personnel” and the information “would be of little use to the Bureau.” (Id. at p. 173.) The court’s practical construction of the phrase “confidential source” in the context of the exemption from FOIA sheds no light on the nature of the CMIA’s breach of confidentiality element. . . . Vigil also asserts that a plaintiff would only have to show that an unauthorized party “downloaded” or “copied” confidential medical information to establish a claim under sections 56.36, subdivision (b), and 56.101, subdivision (a). However, she fails to present any cogent argument or legal authority in support of this conclusion in her opening brief. . . . We therefore conclude the trial court correctly determined that a breach of confidentiality under sections 56.36, subdivision (b), and 56.101, subdivision (a), requires a showing that an unauthorized party viewed the confidential information at issue.
The Court of Appeal also held that the Plaintiff could not show that Breach of Confidentiality could be established on a Class-Wide Basis.
Vigil next challenges the trial court’s finding that each class member would have to prove that his or her medical information was viewed by an unauthorized party. She argues that such a requirement cannot be found in section 56.36, Sutter Health or Regents. Instead, she claims, Regents shows that Vigil would not have to prove that Centeno read any of the information contained within the patient spreadsheet; her ability to access the information is sufficient under the CMIA. But, as previously discussed, the mere ability of an unauthorized party to access information cannot support a claim under sections 56.101, subdivision (a), and 56.36, subdivision (b). Vigil further contends that under Sutter Health, she need only show that Centeno viewed the confidential records and not individual data entries. Muir disagrees, arguing that whether a breach of confidentiality under the CMIA occurred is an inherently individualized inquiry. We agree that a breach of confidentiality under the CMIA is an individualized issue. Regents recognized that sections 56.36, subdivision (b), and 56.101, subdivision (a), provide a private cause of action for individual patients. This private cause of action, like the right of privacy, ” ‘ “is purely a personal one.” ‘ ” (Regents, supra, 220 Cal.App.4th at p. 563 & fn. 6.) “The remedy provided in subdivision (b) [of section 56.36] is the right of an individual whose confidential information has been released in violation of CMIA to bring a private cause of action for nominal and/or actual damages.” (Id. at p. 561.) For a negligent maintenance claim under section 56.101, subdivision(a), there is no “release[] . . . in violation of [the CMIA]” if there is no breach of confidentiality. ( 56.36, subd. (b), 56.101, subd. (a).) Accordingly, the individual bringing a private cause of action under those sections must establish that the confidential nature of his or her information was breached because of the health care provider’s negligence. (See Regents, at p. 570.) Contrary to Vigil’s assertion in her opening brief, Sutter Health does not stand for the proposition that under the CMIA, a plaintiff need only show that an unauthorized party viewed some of the confidential information included in a medical record, regardless of whether the information viewed concerned the plaintiff. Sutter Health did not address this precise issue, which Vigil concedes in her reply. Vigil contends that because a negligent release claim leads to lesser penalties under subdivision (b) of section 56.36 than an intentional release claim under subdivision (c) of that section,6a negligent release claim requires a correspondingly less stringent evidentiary standard. But the legislative history she cites as support for this argument suggests that the purpose of the penalties under that section is deterrence, which in turn indicates that the increased penalties were intended to correspond with the increased culpability of the person or entity that discloses or uses medical information in violation of the CMIA. (See Assem. Com. on Judiciary, Analysis of Sen. Bill No. 19 (1999-2000 Reg. Sess.) July 13, 1999, p. 9 [“While the new civil penalties in the bill appropriately apply to ‘knowing and willful’ violations, the author believes that lesser penalties for negligent conduct that leads to an unauthorized disclosure should also be included in order to deter those releases as well”].) There is nothing in this history that suggests a negligent release claim does not require an individualized showing for the breach of confidentiality element. . . .Accordingly, we conclude that each class member would have to show that his or her medical information was viewed by an unauthorized party to recover under the CMIA.