Breach of confidentiality claim under the CMIA requires proof that medical information was “actually viewed” by an unauthorized party.
A former Muir Medical Group employee downloaded and retained the private medical information of over 5,000 patients. Muir patient Maria Vigil filed a class action complaint against Muir alleging violations of the Confidentiality of Medical Information Act (CMIA) (Civ. Code, §§ 56 et seq.) and seeking statutory damages for each class member. The trial court denied Vigil’s motion for class certification, ruling that common issues would not predominate because, under Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, each class member would need to show that his or her confidential information was “actually viewed” by an unauthorized party to obtain CMIA remedies. Vigil appealed.
The Court of Appeal affirmed. Agreeing with Sutter Health, the court explained that negligently losing possession of confidential medical information does not, by itself, establish a breach of confidentiality under the CMIA. More is required—proof that the information was actually viewed by an unauthorized party—because the CMIA’s focus is medical information, not physical records. This construction of the CMIA advances its purpose to protect patient privacy while accommodating common law negligence principles, which require proof of causation and injury beyond the mere breach of a duty. Because the potential for an unauthorized party to access confidential information does not establish a CMIA claim, Vigil had to show that actual unauthorized viewing of patient medical information could be established on a class-wide basis. She failed to do so, therefore the trial court did not abuse its discretion when it ruled that individual issues would predominate over common issues. While the record showed that the former employee may have viewed some of the purloined medical information, each class member’s right to recover under the CMIA depended on the facts of his or her individual circumstances.