The October 18, 2022, decision in Vigil v. Muir Medical Group IPA., Inc. by the Court of Appeal of the State of California, First Appellate District Division Two provides a sound legal basis to defeat class certification in data breach cases against health care providers alleging violation of California's Confidentiality of Medical Information Act (CMIA). This decision is a boon for defendants since violations of CMIA may result in statutory damages, even in the absence of actual damages, in the context of the unauthorized disclosure of medical information.
Background
Plaintiff Maria Vigil filed a class action against Muir Medical Group IPA, Inc. (Muir) claiming that Muir failed to adequately protect patients' data, thereby allowing a former employee to download on a spreadsheet private medical information belonging to nearly 5,500 patients, which she took with her when she left her employment at Muir.
The plaintiff proceeded to file a putative Class Action against Muir in California state court asserting various causes of action, including statutory violation of California's CMIA. In particular, the complaint alleged that Muir violated sections 56.101(a) and 56.36(b) of CMIA by negligently releasing patients' medical information without their authorization. Accordingly, the complaint sought statutory damages under CMIA for each purported class member.
CMIA
CMIA protects the confidentiality of patients' medical information. Section 56.101(a) provides, in pertinent part, that "any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information" is subject to statutory remedies available under sections 56.36(b) and (c) of the Act.
Section 56.36(b) of CMIA provides, in turn, that any individual may bring an action against an entity that has "negligently released" that individual's confidential information for nominal statutory damages of $1,000 and/or actual damages sustained by the patient. Section 56.36(c) of the Act provides for administrative civil fines and penalties as high as $250,000 per violation for knowing and willful misconduct.
As noted by the Muir court, prior California appellate court decisions analyzing CMIA in the context of a motion to dismiss have determined that:
- A loss of possession of medical information alone is insufficient to state a CMIA claim
- What is required is pleading, and ultimately proving, that the confidential nature of a plaintiff's medical information was breached
- No breach of confidentiality takes place until an unauthorized person views the medical information
- Plaintiff must allege that their information was in fact viewed by an unauthorized party.
As the Muir court observed: "Imposing liability on a health care provider for the release of confidential information without a showing that an unauthorized party viewed the information would eliminate the injury and causation elements of negligence" incorporated into CMIA.
Class Certification Denied
To certify a class under California law, a plaintiff must demonstrate a community of interest among class members such that common questions of fact or law predominate over questions affecting individual members. In explaining the "predominance" requirement, the Muir court observed that class treatment is not appropriate where individual members of the purported class would be required to litigate numerous issues in order to determine their individual right to recovery.
The Muir court concluded that a breach of confidentiality under CMIA is an "individualized issue" since, as courts have recognized, the right to privacy is a "purely personal one." Moreover, each class member would be required to "establish that an unauthorized party viewed their confidential information and that Muir's negligence caused this breach of confidentiality." This analysis would require an individualized inquiry into the following factors:
- Whether third parties used plaintiffs' information
- Whether this use was without authorization
- Timing of the misuse
- Whether plaintiffs took measures to protect against the misuse of their information
- Whether the information used was involved in the data breach
- Whether third parties could have obtained this information through other means.
Based on the record before it, the Muir court of appeals affirmed the trial court's ruling denying class certification based on the lack of predominance of the foregoing questions.
Conclusion
The Muir decision is a much needed respite for health care defendants in data breach class actions alleging CMIA violations and potentially sizeable statutory damages. Of course, to benefit from the decision, more companies will have to be willing to proceed to class certification and at least partial discovery if the case survives a motion to dismiss.
Moreover, the Muir decision implies that the (lack of) predominance for purposes of class certification may be less of an issue in a case in which the unauthorized party published plaintiffs' medical information online and/or plaintiffs suffered identity theft (for the first time) following the incident.
In short, while the Muir court of appeals decision focuses on a CMIA violation, it nonetheless, underscores the fact that, in the data breach context, individualized issues may predominate over common issues. Accordingly, defendants in a data breach class action should seek to oppose class certification by demonstrating that any purported injury to each individual requires a fact-specific inquiry that does not apply to the class as a whole. Rather, these are questions that each class member must answer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
