California Legal Brief

The Rule of J.M. v. Illuminate Education, Inc. is that an educational technology company that collects and stores student medical information to help school districts assess educational needs is not a "provider of health care" under the Confidentiality of Medical Information Act (CMIA), and students are not "customers" under the Customer Records Act (CRA), under circumstances where the company provides services to school districts rather than directly to individuals for medical diagnosis/treatment or personal health record management.

Appeal from order granting demurrer without leave to amend in Superior Court, Ventura County.

Defendant Appellant was Illuminate Education, Inc. — an educational technology company that provides data analysis services to school districts to help assess student educational needs and monitor progress.

Plaintiff Respondent was J.M. — a minor student whose medical information was compromised in a data breach of Illuminate's systems.

The suit sounded in violations of the Confidentiality of Medical Information Act and the Customer Records Act arising from a data breach. No cross-claims were identified.

The key substantive facts leading to the suit were that Illuminate collected student medical information through its contract with Ventura County Office of Education to provide educational assessment services. In 2022, Illuminate suffered a data breach that exposed students' medical information to unauthorized access between December 28, 2021, and January 8, 2022. J.M.'s medical information was among the compromised data, and Illuminate delayed notifying affected parties until June 2022.

The procedural result leading to the Appeal: The trial court granted Illuminate's demurrer without leave to amend, ruling that J.M. failed to state valid claims under either the CMIA or CRA because Illuminate was not a covered entity under either statute and J.M. lacked standing under the CRA as he was not Illuminate's "customer."

The key question(s) on Appeal: 1. Whether an educational technology company qualifies as a "provider of health care" under Civil Code section 56.06 when it maintains student medical information for educational assessment purposes; 2. Whether a breach of confidentiality under the CMIA requires that medical information be "actually viewed" by unauthorized parties or whether exposure to significant risk of unauthorized access suffices; 3. Whether a student whose information was collected through a school district contract has standing as a "customer" under the CRA.

The Appellate Court held that Illuminate is not a "provider of health care" under the CMIA because it does not make medical information available to individuals or healthcare providers for medical diagnosis/treatment or to allow individuals to manage their medical information, but rather provides educational assessment services to school districts. The court also held that breach of confidentiality under the CMIA occurs when information is exposed to significant risk of unauthorized access or use, not merely when actually viewed. Finally, J.M. lacks standing under the CRA because he is not Illuminate's "customer" within the statutory definition.

The case is inapplicable when the entity makes medical information directly available to individuals for personal health record management, provides services directly to healthcare providers for medical diagnosis and treatment, or has a direct customer relationship with the individual whose data was breached.

The case leaves open whether J.M. might be able to amend his complaint to cure the pleading defects, the precise boundaries of what constitutes "significant risk of unauthorized access or use" under the CMIA, and whether Illuminate might qualify as a "contractor" under CMIA section 56.05.