MARIA VIGIL, Plaintiff and Appellant, v. MUIR MEDICAL GROUP IPA, INC., Defendant and Respondent.
A160897
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA FIRST APPELLATE DISTRICT DIVISION TWO
September 26, 2022
NOT TO BE PUBLISHED IN OFFICIAL REPORTS. California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions not certified for publication or ordered published, except as specified by rule 8.1115(b). This
Maria Vigil filed a class action against Muir Medical Group IPA, Inc. (Muir), claiming that it failed to secure patients’ personal information, thereby allowing a former employee to download private medical information belonging to over 5,000 patients and take it with her when she left her employment with Muir. Among other causes of action, the class
Several months after initiating the action, Vigil filed a motion for class certification. The trial court denied the motion, finding as to the CMIA claim that each class member would have to show that the confidential nature of his or her medical information had been breached by an unauthorized party, as required by Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546 (Sutter Health), and therefore that common issues would not predominate.
Vigil appeals, asserting that the trial court relied on an erroneous reading of the CMIA and that a breach of confidentiality can be shown on a class wide basis. We reject those arguments, and we affirm, concluding that the trial court properly applied the CMIA and exercised its discretion in denying class certification.
BACKGROUND
I.
The Data Breach and Vigil‘s Complaint
Muir is an independent practice association that consists of primary care and specialty care providers that provide medical services to patients through the John Muir Health system.
In May 2018, Ute Burness, Chief Executive Officer of Muir, notified certain patients that their personal information may have been involved in a data breach that occurred in December 2017. According to Burness, Muir discovered in March 2018 that a former employee took with her certain information in the possession of Muir before her employment ended with Muir (the data breach). The letter stated that Muir conducted an investigation, and “there is no evidence to date that your personal information has been misused in any way.”2 Vigil was one of the patients who received this notice. Muir later
In July 2018, Vigil filed a class action complaint asserting causes of action for violation of the Customer Records Act (CRA) (
The complaint further alleged that Muir violated sections
II.
Motion for Class Certification
In September 2019, Vigil moved for class certification, appointment of her counsel as class counsel and appointment of herself as class representative. As pertinent here, Vigil contended that the complaint presented questions common to the class regarding whether Muir was negligent in handling class members’ private medical information by failing to comply with its own HIPAA security policies, whether this negligence caused the data breach, and whether Centeno accessed and retained the private medical information without authorization. Vigil supported her motion with her declaration, citations to the depositions of two of Muir‘s HIPAA security officers and some of the deposition exhibits, including Muir‘s HIPAA policies, and Muir‘s discovery responses.
In opposition, Muir argued, among other things, that a CMIA claim requires a showing that the confidential nature of the plaintiff‘s medical information was breached, and that Sutter Health, supra, 227 Cal.App.4th 1546 held that there is no breach of confidentiality under the CMIA unless an unauthorized party has “actually viewed” the information. (Id. at p. 1550.) Thus, according to Muir, individualized issues of fact and law would predominate over the common questions because each putative class member would have to show that an unauthorized person viewed his or her confidential medical information.
In her reply, Vigil asserted that the case could be decided on a class-wide basis because there was evidence that Centeno downloaded, retained, and viewed a patient spreadsheet, and the CMIA does not require a showing that an unauthorized person read each line of medical data. In support, Vigil presented excerpts of the deposition of Janet Kesterson, Centeno‘s colleague at her current employer, that Vigil contended shows Centeno disclosed to Kesterson patient information she obtained from Muir. Kesterson testified that in March 2018, their employer tasked her and Centeno with traveling to offices to get phone numbers for Medicare members. Centeno told Kesterson there was no need to go to those offices because she had the phone numbers, and she “lifted her phone and just scrolled real fast.” Kesterson testified that she could not “decipher what information [Centeno] was scrolling through.” She “could just tell it was an Excel spreadsheet.”
Following a hearing on the motion, the trial court issued an order denying class certification. The court found that Vigil had conceded that the CRA does not apply to Muir, and thus the “crux” of Vigil‘s case “rest[ed] on her claim for breach of the Confidentiality of Medical Information Act.”3 It further found that the predominance of common questions requirement was not met because under the CMIA, “individualized inquiries would be required to prove Defendant‘s liability and damages to each of the nearly 5,500 proposed class members.” Specifically, it concluded that “[l]iability for each class member is predicated on whether his or her information was actually viewed, which on these facts is not capable of resolution in the aggregate.”
Vigil appeals from the order denying class certification.
DISCUSSION
Vigil argues we should reverse the trial court‘s order because it relied on an erroneous reading of the CMIA in finding a predominance of individual issues. We conclude the trial court did not err in its application of the CMIA, and the class complaint‘s allegations raise questions regarding breach of
I.
Legal Standards
A. The Governing Statutes
The CMIA protects the confidentiality of patients’ medical information. (Loder v. City of Glendale (1997) 14 Cal.4th 846, 859.) It does so by prohibiting health care providers from disclosing a patient‘s medical information without authorization (
Here, Vigil alleges Muir violated section
Section
Sutter Health, supra, 227 Cal.App.4th 1546 and its predecessor, Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549 (Regents), are central to the parties’ arguments in this appeal. Those cases address some of the requirements of a CMIA claim under sections
In Regents, a thief stole an external hard drive and a card containing the hard drive‘s encryption password from the home of a physician working within the Regents health care system. (Regents, supra, 220 Cal.App.4th at p. 554.) The plaintiff, whose medical information was on the hard drive along with the medical information of more than 16,000 other patients, filed a complaint asserting a violation of the CMIA and seeking nominal damages for herself and for each of the more than 16,000 patients. (Regents, at pp. 554–555.) The complaint alleged that Regents failed to exercise due care to prevent the release or disclosure of the medical information, ” ‘and as a result it negligently lost possession of the hard drive and encryption passwords.’ ” (Id. at p. 555.) Regents demurred to the complaint, and the trial court overruled the demurrer. (Id. at pp. 555–556.) Regents sought a writ of mandate requiring the trial court to sustain the demurrer, and the appellate court granted review of the trial court‘s ruling. (Id. at pp. 557, 571.)
On review, the court first noted that the parties did not dispute that the plaintiff had adequately alleged a violation of the duty imposed on Regents by section
The Regents court went on to hold, however, that even under this broad interpretation of “release,” pleading loss of possession was insufficient to state a cause of action under sections
The Third District decided Sutter Health the following year. Sutter Health involved a stolen desktop computer. (Sutter Health, supra, 227 Cal.App.4th at p. 1552.) Stored on the computer‘s hard drive were the medical records of more than four million patients in password-protected but unencrypted format. (Ibid.) The plaintiffs filed a complaint asserting violations of the CMIA. (Sutter Health, at p. 1552.) The defendant health care provider demurred, arguing the complaint did not state a claim under the CMIA because it did not allege that any unauthorized person had viewed the stolen medical information. (Sutter Health, at p. 1552.) The trial court overruled the demurrer, concluding the complaint sufficiently alleged a cause of action for breach of the CMIA. (Sutter Health, at p. 1552.) On a petition for writ of mandate challenging the order overruling the defendant‘s demurrer, the Court of Appeal agreed with Regents that the plaintiffs must plead and prove a breach of confidentiality, and it clarified that “[n]o breach of confidentiality takes place until an unauthorized person views the medical information.” (Sutter Health, at pp. 1553, 1555, 1557.)
The Third District arrived at this conclusion differently from the Second District, however. (Sutter Health, supra, 227 Cal.App.4th at p. 1555.) Unlike the Regents court, the Sutter Health court found that the duty of confidentiality imposed on health care providers by section
The court noted that the second sentence of section
The court concluded the defendant did not violate section
Although Regents and Sutter Health were decided at the pleading stage, both hold that a breach of confidentiality under sections
C. Class Certification Standards and Standards of Review
To properly allege a class, Vigil must “demonstrate the existence of an ascertainable and sufficiently numerous class, a well-defined community of interest, and substantial benefits from certification that render proceeding as a class superior to the alternatives.” (Brinker Restaurant Corp. v. Superior Court (2012) 53 Cal.4th 1004, 1021 (Brinker).) Community of interest, or commonality, encompasses three factors, including ” ‘predominant common questions of law or fact.’ ” (Linder, supra, 23 Cal.4th at p. 435.) “To establish the requisite community of interest, the proponent of certification must show, inter alia, that questions of law or fact common to the class predominate over the questions affecting the individual members . . . .” (Washington Mutual Bank, FA v. Superior Court (2001) 24 Cal.4th 906, 913.)
The denial of class certification to an entire class is an appealable order. (Linder, supra, 23 Cal.4th at p. 435.) We review a ruling on class certification for abuse of discretion. (Brinker, supra, 53 Cal.4th at pp. 1017, 1022.) A trial court ruling supported by substantial evidence will not be disturbed unless it rests on improper criteria or erroneous legal assumptions. (Sav-On Drug Stores, Inc. v. Superior Court (2004) 34 Cal.4th 319, 326–327.) We review de novo issues of statutory construction. (Regents, supra, 220 Cal.App.4th at p. 558.)
II.
Analysis
A. The Trial Court Did Not Err in Its Interpretation of the CMIA.
This class action is predicated on Muir‘s alleged negligence in maintaining and releasing confidential information in violation of sections
Vigil first argues that under Regents, confidential information that is “viewed, published, accessed, downloaded, copied, or otherwise ‘permitted[] to escape from its normal place of storage’ ” is “released” within the meaning of section
Based on the statute‘s plain language, we agree with Sutter Health that a breach of confidentiality under the CMIA requires a showing that an unauthorized party viewed the confidential information. The CMIA does not define the term “confidential,” but the ordinary meaning of the word supports Sutter Health‘s “viewed” requirement. (Angelucci v. Century Supper Club (2007) 41 Cal.4th 160, 168 [“In interpreting a statute, we first consider its words, giving them their ordinary meaning and construing them in a manner consistent with their context and the apparent purpose of the legislation“].) The common or ordinary dictionary definition of “confidential” is “private” or “secret.” (See, e.g., Black‘s Law Dict. (11th ed. 2019) p. 373, col. 1 [“meant to be kept secret]; Webster‘s Third New International Dict. (1961) p. 158, col. 1 [“private, secret“].) Thus, under the ordinary meaning of “confidential,” the confidential nature of information is not breached unless the information is reviewed by unauthorized parties. This construction is consistent with the purpose of the CMIA to protect patients’ privacy. (See Brown v. Mortensen (2011) 51 Cal.4th 1052, 1071 [“[T]he interest protected by [the CMIA] is an interest in informational privacy“].)
Moreover, we also agree with Sutter Health‘s reasoning that section
Vigil presents no basis for departing from Sutter Health. We disagree that Sutter Health “narrow[ed]” Regents by requiring more than mere loss of possession of medical records to establish a breach of confidentiality. After noting that the plaintiff could not “allege her medical records were, in fact, viewed by an unauthorized individual,” the Second District held her pleading was “deficient” because it amounted to no “more than an allegation of loss of possession by the health care provider.” (Regents, supra, 220 Cal.App.4th at p. 570.)
Vigil relies on Regents’ plain meaning construction of the term “release“—“permit[ting] [the confidential information] to escape or spread from its normal place of storage” and “allow[ing] it to be accessed” by an unauthorized party—as support for her argument. However, Regents does not stand for the proposition that mere loss of possession is sufficient on its own to prove a breach of confidentiality under sections
Vigil points to other sections of the CMIA that use the term “release” as support for her argument that the Legislature intended section
” ‘The fundamental purpose of statutory construction is to ascertain the intent of the lawmakers so as to effectuate the purpose of the law.’ ” (Realmuto v. Gagnard (2003) 110 Cal.App.4th 193, 199.) As Sutter Health appears to have recognized in its application of general negligence principles (Sutter Health, supra, 227 Cal.App.4th at pp. 1557–1558), when the Legislature couches its enactment in common law language, we presume that it intended to carry over such rules as were part of the common law into statutory form. (Presbyterian Camp & Conference Centers, Inc. v. Superior Court (2021) 12 Cal.5th 493, 503 (Presbyterian Camp).) The essential elements of common law negligence are “the existence of a duty to use due care toward an interest of another that enjoys legal protection against unintentional invasion” (Bily v. Arthur Young & Co. (1992) 3 Cal.4th 370, 397), breach of that duty, injury, and causation (Dixon v. City of Livermore (2005) 127 Cal.App.4th 32, 42).
Vigil‘s interpretation of sections
Vigil contends Sutter‘s reliance on the “duty of confidential[ity] that pervades CMIA” is misplaced because some courts have recognized that a breach of confidentiality can occur when the information is merely “disclosed” or “disseminated,” regardless of whether unauthorized parties viewed the information. But the cases Vigil cites as support for this argument do not address the CMIA and are inapposite. None stand for the proposition that
In U.S. Dept. of Justice v. Landano (1993) 508 U.S. 165, cited by Vigil, the court addressed the meaning of “confidential source” as used in an exemption from disclosure under the federal Freedom of Information Act (FOIA) for records compiled by criminal law enforcement authorities in the course of a criminal investigation. (Landano, at p. 167.) The exemption applies if the release of criminal investigation records ” ‘could reasonably be expected to disclose’ the identity of, or information provided by, a ‘confidential source.’ ” (Ibid.) In rejecting the defendant‘s argument “that a source is ‘confidential’ for purposes of [the exemption] only if the source can be assured, explicitly or implicitly, that the source‘s cooperation with the Bureau will be disclosed to no one,” the court concluded “this cannot have been Congress’ intent.” (Id. at p. 171.) To read “confidential source” as meaning one given “[a] promise of complete secrecy” would mean “the FBI agent receiving the source‘s information could not share it even with other FBI personnel” and the information “would be of little use to the Bureau.” (Id. at p. 173.) The court‘s practical construction of the phrase “confidential source” in the context of the exemption from FOIA sheds no light on the nature of the CMIA‘s breach of confidentiality element.
Similarly inapposite is Berkeley Police Assn. v. City of Berkeley (2008) 167 Cal.App.4th 385 (Berkeley Police Assn.), in which the court held that interpreting a local ordinance to permit public hearings on citizen complaints against a police officer would conflict with provisions of the Police Officers Bill of Rights (POBRA) because it would result in disclosure of police personnel records those provisions required to be kept confidential. (Berkeley Police Assn., at pp. 404–405.) The court‘s discussion of which records were confidential within the meaning of POBRA, which focused on earlier California Supreme Court authority interpreting the scope of POBRA‘s confidentiality provision and on the specific text of the relevant POBRA provisions (Berkeley Police Assn., at pp. 395–402), likewise has no bearing on the meaning of the CMIA‘s language regarding health care providers’ liability for breach of confidentiality.
The third case cited by Vigil, Culinary Foods, Inc. v. Raychem Corp. (N.D.Ill. 1993) 151 F.R.D . 297, addressed the request of plaintiff, Culinary, for a protective order for certain materials it sought to discover from Raychem and Raychem‘s request for a more restrictive order. The parties disputed whether Culinary could disseminate materials determined to be confidential to litigants and attorneys involved in similar actions against Raychem. (Id. at p. 306 orders issued by other courts.” (Id. at p. 307.) Insofar as Vigil‘s point in citing Culinary Foods is that allowing unauthorized access to confidential information can increase the risk that someone will view and/or make use that information, that is no doubt true. However, it does not answer the question of whether the Legislature, in adopting sections 56.36 and 56.101, intended to impose liability in situations where no actual invasion of the plaintiff‘s privacy occurs. Moreover, the Sutter Health court recognized that the change of possession of confidential information increases the risk of a confidentiality breach, but nonetheless held that the CMIA “does not provide for liability for increasing the risk of a confidentiality breach.” (Sutter Health, supra, 227 Cal.App.4th at p. 1557.)
Vigil also asserts that a plaintiff would only have to show that an unauthorized party “downloaded” or “copied” confidential medical information to establish a claim under sections
event, a party that downloads or copies electronic files, as Centeno allegedly did in this case, does not necessarily breach confidentiality if the party has not actually viewed the confidential information included in the file. “It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act).” (Sutter Health, supra, 227 Cal.App.4th at p. 1557.)
Finally, Vigil argues that the rule of Sutter Health will lead to unintended or absurd results. But interpreting sections
Vigil cites Stasi v. Inmediata Health Grp. Corp. (S.D.Cal. 2020) 501 F.Supp.3d 898 (Stasi) as support for her argument. There, the defendant posted confidential medical information on the internet, “making it searchable, findable, viewable, printable, copiable, and downloadable by anyone in the world with an internet connection.” (Id. at p. 924.) Vigil argues that under “any conceivable standard,” the confidentiality of the information at issue in that case was destroyed once it was published online, while that would not be the case under Sutter Health if the plaintiffs could not prove that an unauthorized party viewed their information. What she ignores is that the court in Stasi upheld Sutter Health‘s “viewed” requirement. (Stasi, at p. 923.) There, on appeal from a motion to dismiss for failure to state a claim, the court found that the complaint‘s allegations gave rise to a reasonable inference that “someone” viewed the confidential information since it was accessible “by anyone in the world with an internet connection.” (Id. at p. 924.) Thus, Stasi does not support Vigil‘s argument.
We therefore conclude the trial court correctly determined that a breach of confidentiality under sections
2. Vigil Has Not Shown That a Breach of Confidentiality Can Be Established on a Class-Wide Basis.
Vigil next challenges the trial court‘s finding that each class member would have to prove that his or her medical information was viewed by an unauthorized party. She argues that such a requirement cannot be found in section
We agree that a breach of confidentiality under the CMIA is an individualized issue. Regents recognized that sections
Contrary to Vigil‘s assertion in her opening brief, Sutter Health does not stand for the proposition that under the CMIA, a plaintiff need only show that an unauthorized party viewed some of the confidential information included in a medical record, regardless of whether the information viewed concerned the plaintiff. Sutter Health did not address this precise issue, which Vigil concedes in her reply.
Vigil contends that because a negligent release claim leads to lesser penalties under subdivision (b) of section
Vigil argues for the first time in her reply that based on the plain language of section
violation of” section
Accordingly, we conclude that each class member would have to show that his or her medical information was viewed by an unauthorized party to recover under the CMIA.
B. The Trial Court Did Not Abuse Its Discretion in Finding a Predominance of Individual Issues.
Since Vigil has not shown that a breach of confidentiality can be established on a class wide basis, the question then is whether the common questions predominate over those individualized questions.
The key inquiry in determining whether the predominance requirement has been met is whether “the issues which may be jointly tried, when compared with those requiring separate adjudication, must be sufficiently numerous and substantial to make the class action advantageous to the judicial process and to the litigants.” (City of San Jose v. Superior Court (1974) 12 Cal.3d 447, 460.) “Presented with a class certification motion, a trial court must examine the plaintiff‘s theory of recovery, assess the nature of the legal and factual disputes likely to be presented, and decide whether individual or common issues predominate.” (Brinker, supra, 53 Cal.4th at p. 1025; see also Ayala v. Antelope Valley Newspapers, Inc. (2014) 59 Cal.4th 522, 530 [the question at the class certification stage is “whether the operative legal principles, as applied to the facts of the case, render the claims susceptible to resolution on a common basis“].)
” ‘As a general rule if the defendant‘s liability can be determined by facts common to all members of the class, a class will be certified even if the
In challenging the trial court‘s determination, Vigil contends there are common questions regarding whether Centeno had unauthorized access to the patient spreadsheet and whether Muir was negligent in protecting that document. The evidence she presented on those issues below consists of the depositions of two of Muir‘s HIPAA security officers, a report from the investigation of the data breach, and Muir‘s policies. Based on this evidence, the question whether Muir failed to use due care in maintaining patients’ private medical information is a significant issue susceptible to common proof. However, Vigil‘s burden “is not merely to show that some common issues exist, but rather, to place substantial evidence in the record that common issues predominate.” (Lockheed Martin Corp. v. Superior Court (2003) 29 Cal.4th 1096, 1108.)
On this record, the trial court did not abuse its discretion in concluding individual issues would predominate over common issues. The record demonstrates that Centeno may have viewed some of the information on the patient spreadsheet, but Vigil presented no evidence indicating whose information was viewed. There is also no evidence suggesting that other unauthorized parties viewed the information in the patient spreadsheet or that it was posted or disclosed in a public forum like the information at issue in Stasi or in Berkeley Police Assn. Therefore, most, if not all, of the almost 5,500 potential class members would be unable to maintain their CMIA claims against Muir unless they could establish that an unauthorized party viewed their confidential medical information and that Muir‘s negligence caused this breach of confidentiality.
In our research, we have not found any state cases, and the parties have not provided any, that concern the predominance requirement in a CMIA case or in a similar data breach action. The few federal cases that address CMIA claims, however, suggest that individual questions regarding whether a breach
Similarly, in Falkenberg, the court determined on a motion to dismiss that plaintiffs had adequately alleged a claim for violation of the CMIA after a thief stole a password-protected laptop containing plaintiffs’ and other patients’ confidential information. (Falkenberg v. Alere Home Monitoring, Inc. (N.D.Cal., Feb. 23, 2015, No. 13-cv-00341-JST) 2015 WL 800378, at pp. *1, *3.) The court found that the plaintiffs’ CMIA claim was supported by allegations that their confidential medical information was viewed by an unauthorized party because they alleged that they gave the defendant that information, that they suffered identity theft sometime from three weeks to “weeks-and-months” from when the defendant‘s laptop containing the plaintiffs’ information was stolen, that they had never suffered identity theft previously, that they took extra precautions to ensure their information was not disclosed to unknown third parties, and that the thieves opened fraudulent accounts using the plaintiffs’ social security numbers, information that the defendant had and which was “not generally as available as date of birth, full name, and address.” (Falkenberg, at p. *3.) The court noted that where a plaintiff claims a data breach caused them to be the victim of identity theft, there must be a ” ‘nexus’ ” between the alleged identity theft and the data breach ” ‘beyond allegations of time and sequence,’ ” and that there was such a nexus in that case. (Id. at p. *4.)
Applying the principles of those cases, the case here would require an assessment of each putative class member‘s circumstances to determine whether his or her information was viewed by an unauthorized party and whether the data breach caused this breach of confidentiality. This assessment includes questions regarding whether third parties used plaintiffs’ information, whether this use was without authorization, the timing of this misuse, whether plaintiffs took measures to protect against the misuse of their information, whether the information used was involved in the data breach, and whether third parties could have obtained this information through other means.
We conclude substantial evidence supports the trial court‘s determination. On the record before us, each class member‘s “right to recover depends on facts peculiar to his case.” (City of San Jose v. Superior Court, supra, 12 Cal.3d at p. 459; Duran v. U.S. Bank National Assn., supra, 59 Cal.4th at p. 30.) Although it is only a general rule that a class cannot be maintained where liability turns on the facts of individual cases, the problems of proof here appear sufficiently pervasive and substantial as to support the trial court‘s denial of class certification based on the predominance of those questions.
DISPOSITION
The order is affirmed. Muir shall recover its costs on appeal.
STEWART, J.
We concur.
RICHMAN, Acting P.J.
MILLER, J.
Vigil v. Muir Medical Group (A160897)
Notes
In her reply, Vigil cites for the first time a federal case in support of her argument that a breach of confidentiality occurred when Centeno downloaded the patient spreadsheet and saved it to her personal phone or email account. Even assuming Vigil has not forfeited this argument (see Paulus v. Bob Lynch Ford, Inc. (2006) 139 Cal.App.4th 659, 685), that case is distinguishable because the plaintiff‘s claims arose from defendants’ breach of contractual, not statutory, duties. (Allergan, Inc. v. Merz Pharmaceuticals, LLC (C.D.Cal., March 9, 2012, No. SACV 11-446 AG (Ex)) 2012 WL 781705, at p. *11.)
In her reply, Vigil also attempts to factually distinguish this case from Sutter Health based on evidence indicating that Centeno was aware of the contents of the patient spreadsheet and of its value to her new employer, that she downloaded it and retained it after her termination from Muir, and that she offered to provide the spreadsheet to her new employer. She fails to explain, however, why those facts show Sutter Health was wrongly decided.