The California Supreme Court has issued a major ruling that will make it easier for patients to sue over medical data breaches while also narrowing which companies are subject to the state’s strict medical privacy law. The decision affects everyone from hospitals to health apps to educational technology companies.
The May 14, 2026 ruling in J.M. v. Illuminate Education changes how courts interpret the Confidentiality of Medical Information Act (CMIA), one of the strongest state medical privacy laws in the country. The case involved an educational technology company that suffered a data breach exposing students’ medical information.
What California’s medical privacy law covers
California’s CMIA, first enacted in 1979, goes beyond federal HIPAA protections in many ways. The law covers traditional healthcare providers but has expanded over the years to include:
- Healthcare service plans and pharmaceutical companies
- Businesses organized to maintain medical information for patient management
- Vendors of personal health record software and mobile health apps
- Other entities that handle individually identifiable medical information
The law is popular in class action lawsuits because it allows patients to collect $1,000 per violation without proving actual harm, plus attorney fees and other damages.
Court makes it easier to prove data breaches
The Supreme Court’s biggest change involves how plaintiffs can prove a breach of medical confidentiality. Previously, many courts required patients to show that unauthorized people “actually viewed” their medical information during a breach.
The court announced a new standard that’s much more favorable to patients. Now, a breach occurs when medical information is “exposed to a significant risk of unauthorized access or use.”
Courts will consider several factors:
- The nature, duration, and extent of the breach
- What steps the company took to limit damage
- Whether hackers specifically targeted the medical data or stumbled across it
- Other circumstances around the incident
This change means more data breach lawsuits will likely survive early court challenges, putting pressure on companies to settle cases quickly.
Educational technology company gets narrow victory
While the court made it easier to prove breaches generally, Illuminate Education won its specific case. The court ruled that the ed-tech company doesn’t qualify as a “provider of healthcare” under California law.
Illuminate’s platform helped schools with things like dyslexia screening and educational planning. The court said this was primarily educational, not medical. Students and parents could access some health information, but only for educational purposes – not to manage their own health records or get medical treatment.
The ruling clarifies that California’s medical privacy law targets companies that help patients control their health information or provide medical services, not educational technology vendors that happen to handle some health data.
Impact on different industries
The decision will affect several sectors differently:
Healthcare providers and health-tech companies will face more lawsuits surviving early court challenges. They need stronger data security and should document their breach response procedures.
Educational technology companies may have better defenses against medical privacy lawsuits if they can show their primary purpose is educational, not medical.
Fitness apps, wellness platforms, and other consumer-facing companies should carefully review whether they qualify as healthcare providers under the law’s definitions.
What companies should do now
The ruling has immediate implications for how companies handle medical data in California. Organizations should:
- Review whether they qualify as healthcare providers under the law’s specific requirements
- Strengthen data security measures and document breach response procedures
- Assess how the new “significant risk” standard might apply to their data handling
- Review contracts with schools, employers, or other entities that provide them medical information
Companies involved in current medical privacy lawsuits should quickly evaluate how this decision affects their cases and settlement strategies.
The court also hinted at future challenges, noting that “evolving technologies” like artificial intelligence could enable unauthorized use of medical information “without anyone actually viewing the information.” This suggests more legal battles ahead as technology continues to change how medical data is processed and potentially compromised.