Brown v. Mortensen, 126 Cal. Rptr. 3d 428

Brown, a patient, was billed $600 for a non-rendered dental crown by Dr. Reinholds; Brown disputed the debt.
Mortensen, via a collection agency, repeatedly disclosed Brown’s and his children’s confidential medical information to Experian, Equifax, and TransUnion.
Disclosures included names, SSNs, dates of birth, addresses, and Brown’s and his children’s dental histories, without authorization.
Dr. Reinholds ratified Mortensen’s disclosures and made additional unauthorized disclosures to Equifax.
Brown alleged violations of the Confidentiality of Medical Information Act (Civ. Code, § 56 et seq.) and sought damages; the trial court dismissed after a demurrer, Court of Appeal affirmed the preemption ruling.
The issue presented is whether FCRA § 1681t(b)(1)(F) preempts Brown’s Confidentiality Act claims or whether state privacy protections survive.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Does § 1681t(b)(1)(F) preempt Confidentiality Act claims?	Brown argues broader preemption; state privacy claims are displaced by the FCRA as furnishers.	Mortensen argues claims arise from furnishers’ duties regulated by § 1681s-2 and are preempted.	Preemption is limited to furnisher duties in § 1681s-2 (accuracy and dispute handling).
What is the scope of 'subject matter regulated' by § 1681s-2 for preemption purposes?	Broadly covers furnishers' duties, thus preempts state privacy claims.	Only the two specific duties (accuracy and dispute response) are preempted.	Narrow reading: only furnishers' accuracy and dispute-handling duties are preempted.
Does HIPAA affect the preemption analysis between FCRA and the Confidentiality Act?	HIPAA signals broader federal privacy framework that supports preemption.	HIPAA and FCRA should be harmonized; HIPAA preserves more stringent state privacy rules.	HIPAA and the Reform Act together support a limited preemption, preserving stricter state privacy laws.
Does the Confidentiality Act claim rest on accuracy/dispute handling or on privacy without misstatement?	Disclosures were unauthorized; the claim rests on privacy protection, not accuracy.	If the claim overlaps with § 1681s-2 duties, it is preempted.	Confidentiality Act claims rest on unauthorized disclosure (privacy), not accuracy; not preempted.

Hill v. National Collegiate Athletic Assn., 7 Cal.4th 1 (Cal. 1994) (privacy interest in medical information)
Medtronic, Inc. v. Lohr, 518 U.S. 470 (U.S. 1996) (scope of preemption; statutory interpretation)
Cipollone v. Liggett Group, Inc., 505 U.S. 504 (U.S. 1992) (textual interpretation and preemption framework)
Wyeth v. Levine, 555 U.S. 555 (U.S. 2009) (congressional intent as touchstone in preemption)
Olszewski v. Scripps Health, 30 Cal.4th 798 (Cal. 2003) (presumption against preemption in state-federal balance)
Farm Raised Salmon Cases, 42 Cal.4th 1077 (Cal. 2008) (strong presumption against preemption; field of privacy)