October 18, 2022, decision Vigil v. Muir Medical Group IPA., Inc. From the California State Court of Appeal, the First Appellate District Division Two provides a sound legal basis for defeating class certification in data breach cases against health care providers accused of violating California’s Medical Information Privacy Act (CMIA). This decision is a boon to defendants because violations of the CMIA can result in statutory damages, even in the absence of actual damages in the case of unauthorized disclosure of medical information.
Muir Medical Group IPA, Inc. (Muir) v. Plaintiff Maria Vigil alleges that it failed to adequately protect patient data, allowing a former employee to download the private medical information of nearly 5,500 patients into a spreadsheet. She took it with her when she left her job at Muir.
Plaintiff proceeded to file a putative class action against Muir in California state court, asserting several causes of action, including statutory violations of California’s CMIA. Specifically, the complaint alleges that Muir violated sections 56.101(a) and 56.36(b) of the CMIA by negligently releasing patients’ medical information without their consent. Accordingly, the complaint sought statutory damages under the CMIA for each purported class member.
The CMIA protects the privacy of patients’ medical information. Section 56.101(a) provides, in relevant part, that “any health care, health care plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information” Sections 56.36(b) and (c) of the Act. ) subject to statutory remedies available under
Per Section 56.36(b) of the CMIA, any individual may bring an action against an entity that “negligently released” an individual’s confidential information for nominal statutory damages up to $1,000 and/or actual damages suffered by the patient. Section 56.36(c) of the Act provides for administrative civil penalties and fines of up to $250,000 per violation for knowing and willful misconduct.
As noted Muir The Court, prior California Court of Appeals decisions analyzing the CMIA in the context of a motion to dismiss, held that:
- Loss of ownership of medical information is not sufficient to assert a CMIA claim
- Alleging and ultimately proving that the confidential nature of the plaintiff’s medical information has been breached is required
- No breach of privacy occurs until an unauthorized person views the medical information
- Plaintiffs must allege that their information was actually viewed by an unauthorized party.
Like that Muir The Court noted: “Imposing liability on health care providers for the release of confidential information without showing that an unauthorized party viewed the information eliminates the negligence injury and causation elements” incorporated in the CMIA.
Class certification denied
To certify a class under California law, a plaintiff must demonstrate a community of interest among class members, meaning that general questions of fact or law prevail over questions affecting individual members. In explaining the requirement of “predominance”, the Muir The court noted that class treatment is inappropriate where individual members of a purported class must litigate several issues to determine their individual right to recovery.
The Muir The court concluded that a violation of privacy under the CMIA is a “personal issue” because, as courts have recognized, the right to privacy is “entirely personal.” Further, each class member is required to “establish that an unauthorized party accessed their confidential information and that Muir’s negligence caused this breach of confidentiality.” This analysis requires a personal inquiry into the following points:
- Whether third parties have used plaintiffs’ information
- This use is without permission
- Time to abuse
- Whether plaintiffs have taken steps to protect against misuse of their information
- Whether the information used was involved in a data breach
- Third parties may obtain this information through other means.
Based on its past record, The Muir The Court of Appeals affirmed the trial court’s decision denying class certification based on lack of predominance of the above questions.
The Muir The decision is a much-needed reprieve for health care defendants in data breach class actions alleging CMIA violations and potentially substantial statutory damages. Of course, to benefit from the decision, most companies must be willing to proceed to class certification and have at least partial discovery if the case survives the motion to dismiss.
Furthermore, the Muir The decision suggests that (lack of) dominance may be less of an issue for purposes of class certification when an unauthorized party publishes plaintiffs’ medical information online and/or when plaintiffs experience identity theft after the incident (for the first time).
In short, however Muir The Court of Appeals focuses on breaches of the CMIA, however, emphasizing the fact that, in the case of a data breach, individual issues may prevail over general issues. Accordingly, defendants in a data breach class action must seek to oppose class certification by demonstrating that any purported injury to each individual requires a fact-specific inquiry that does not apply to the class as a whole. Rather, these are questions for each class member to answer.
The content of this article is intended to provide a general guide to the topic. Expert advice should be sought regarding your particular circumstances.