For the First Time, California Court of Appeal Addresses Predominance Requirement for Class Certification in a Case Brought Under the California Confidentiality of Medical Information Act

On October 18, 2022, the California Court of Appeal certified for publication its opinion in Maria Vigil, Inc. v. Muir Medical Group IPA, Inc., No. A160897 (Vigil), which is the first published decision in California to address the predominance requirement for class certification in a case brought under the California Confidentiality of Medical Information Act (CMIA). The decision not only reaffirms the “actual viewing” requirement for a private cause of action under Section 56.36 of the CMIA, but more importantly establishes that a breach of confidentiality under the CMIA cannot be shown on a class-wide basis because individual issues would predominate.

The CMIA’s “Actual Viewing” Requirement

The two seminal California Court of Appeal decisions on the CMIA are Regents of University of California v. Superior Court, 220 Cal. App. 4th 549 (2013) and Sutter Health v. Superior Court, 227 Cal. App. 4th 1546 (2014). These cases hold that a plaintiff may only bring a private right of action under Section 56.36 of the CMIA if they can prove that an unauthorized third person in fact “actually viewed” their confidential medical information as a result of the defendant’s alleged negligence.¹ In both cases, the court held that courts must dismiss a CMIA data breach lawsuit unless the named plaintiffs provide evidence that their information was actually viewed by a third party. This is because Section 56.36 only permits a private right of action when there has been an “actual breach of confidentiality,” and “[n]o breach of confidentiality takes place until an unauthorized person views the medical information.”²

The Vigil Decision

The plaintiff in Vigil filed a class action alleging that Muir Medical Group violated the CMIA by negligently releasing class members’ confidential medical information as a result of a data breach that occurred in December 2017.

The Vigil decision addresses two key issues that are regularly litigated in CMIA cases: (1) whether a private cause of action under Section 56.36 of the CMIA requires the plaintiff to prove with evidence that an unauthorized third party “actually viewed” the individual plaintiff’s confidential medical information and (2) whether, in light of this “actual viewing” requirement, a private claim for breach of confidentiality under the CMIA can be established on a class-wide basis.

In addressing these issues, the Vigil decision relies on and reaffirms the findings in Regents and Sutter Health that a breach of confidentiality under the CMIA requires a showing that an unauthorized party “actually viewed” the confidential medical information. The plaintiff in Vigil argued that under Regents, “‘permit[ting] [the confidential information] to escape or spread from its normal place of storage’ and ‘allow[ing] it to be accessed’ by an unauthorized party” is enough to establish a breach of confidentiality, and that Sutter Health “wrongly narrowed” the Regents standard to prove a breach of confidentiality.³ In response, the Court of Appeal made clear that while “[t]he Regents court opined that providing an unauthorized party access to confidential information ‘may’ support a negligent release claim under the CMIA . . . Regents expressly held that mere loss of possession was insufficient to establish a ‘release,’ even under a ‘broad interpretation’ of that term.”⁴ The Vigil decision also clarifies that the California Legislature did not intend for healthcare providers to be liable for millions and even billions of dollars for the mere loss of possession of medical information.⁵

Applying the “actual viewing” standard to the predominance requirement for class certification, the Vigil decision explains that “a breach of confidentiality under the CMIA is an individualized issue” and therefore cannot be established on a class-wide basis because common issues would not predominate.⁶ Importantly, the decision states that because “the mere ability of an unauthorized party to access information cannot support [a breach of confidentiality],” each and every class member must prove that his or her medical information was viewed by an unauthorized party.⁷ Such proof “would require an assessment of each putative class member’s circumstances to determine whether his or her information was viewed by an unauthorized party and whether the data breach caused this breach of confidentiality.”⁸ Although Vigil reaffirms the legal standards mandated by Sutter Health and Regents, it is the first published California state court case to address the predominance requirement in a CMIA case or in a similar data breach action and, in doing so, to apply the “actually viewed” legal standard in that context.⁹

Implications

The California Court of Appeal’s decision in Vigil confirms the high evidentiary burden set forth in Sutter Health and Regents and makes clear that plaintiffs will face a difficult task in attempting to certify a class action under the CMIA. The court’s clarification of the CMIA’s legal standard and the proof that is required on a class-wide basis will not only expedite resolution of existing CMIA cases, but will also avoid future disputes and protracted litigation over the same issues. The Vigil decision will also deter litigants from bringing meritless CMIA claims and provide relief to healthcare providers who are faced with undue pressure to settle frivolous CMIA claims given the millions and billions of dollars in statutory damages at stake.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.