Vigil v. Muir Med. Grp. Ipa, Inc.

• Decision Date: 26 September 2022
• Docket Number: A160897
• Citation: 84 Cal.App.5th 197,300 Cal.Rptr.3d 32
• Parties: Maria VIGIL, Plaintiff and Appellant, v. MUIR MEDICAL GROUP IPA, INC., Defendant and Respondent.
• Court: California Court of Appeals Court of Appeals

84 Cal.App.5th 197

300 Cal.Rptr.3d 32

Maria VIGIL, Plaintiff and Appellant,

v.MUIR MEDICAL GROUP IPA, INC., Defendant and Respondent.

A160897

Court of Appeal, First District, Division 2, California.

Filed September 26, 2022

John J. Nelson, 550 West C Street, Ste 1760, San Diego, CA 92101-8564, Trenton Kashima, Sommers Schwartz, P.C., 402 West Broadway, Suite 1760, San Diego, CA 92101-8546, Jeffrey Robert Krinsk, Finkelstein & Krinsk, 550 West C Street, Ste 1760, San Diego, CA 92101-8564, for Plaintiff and Appellant.

Steven James Boranian, Reed Smith LLP, 101 Second Street, Suite 1800, San Francisco, CA 94105, David Jason de Jesus, Reed Smith LLP, 101 Second Street - Suite 1800, San Francisco, CA 94105, Emily F. Lynch, Reed Smith LLP, 101 Second Street, Suite 1800, San Francisco, CA 94105-3659, for Defendant and Respondent.

STEWART, J.

Maria Vigil filed a class action against Muir Medical Group IPA, Inc. (Muir), claiming that it failed to secure patients’ personal information, thereby allowing a former employee to download private medical information belonging to over 5,000 patients and take it with her when she left her employment with Muir. Among other causes of action, the class complaint alleges that Muir violated Civil Code ¹ sections 56.101 and 56.36, subdivision (b), of the Confidentiality of Medical Information Act (CMIA) (§ 56 et seq.) by negligently releasing class members’ confidential medical information.

Several months after initiating the action, Vigil filed a motion for class certification. The trial court denied the motion, finding as to the CMIA claim that each class member would have to show that the confidential nature of his or her medical information had been breached by an unauthorized party, as required by Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 174 Cal.Rptr.3d 653 ( Sutter Health ), and therefore that common issues would not predominate.

Vigil appeals, asserting that the trial court relied on an erroneous reading of the CMIA and that a breach of confidentiality can be shown on a class wide basis. We reject those arguments, and we affirm, concluding that the trial court properly applied the CMIA and exercised its discretion in denying class certification.

BACKGROUND

I.The Data Breach and Vigil's Complaint

Muir is an independent practice association that consists of primary care and specialty care providers that provide medical services to patients through the John Muir Health system.

In May 2018, Ute Burness, Chief Executive Officer of Muir, notified certain patients that their personal information may have been involved in a data breach that occurred in December 2017. According to Burness, Muir discovered in March 2018 that a former employee took with her certain information in the possession of Muir before her employment ended with Muir (the data breach). The letter stated that Muir conducted an investigation, and "there is no evidence to date that your personal information has been misused in any way."² Vigil was one of the patients who received this notice. Muir later admitted that the former employee, Myrissa Centeno, had downloaded copies of information for over 5,400 patients that included insurance and clinical information.

In July 2018, Vigil filed a class action complaint asserting causes of action for violation of the Customer Records Act (CRA) ( § 1798.80 et seq. ), violation of the CMIA ( § 56 et seq. ), unlawful and unfair business practices under the Unfair Competition Law (UCL) ( Bus. & Prof. Code, § 17200 et seq. ), and negligence. The UCL claim was predicated on the statutory and negligence claims. The complaint alleged that under the Health Insurance Portability and Accountability Act's (HIPAA) Security Management Process standard ( 45 C.F.R. § 164.308 ), Muir's employees should not have had access to records concerning approximately 5,500 patients without a "compelling" reason, nor should they have been able to take sensitive patient information with them. The complaint sought compensatory and punitive damages for Muir's alleged negligence in failing to secure plaintiffs’ personal information. The complaint also alleged that this negligence violated the CRA.

The complaint further alleged that Muir violated sections 56.101, subdivision (a), and 56.36, subdivision (b), of the CMIA by negligently releasing patients’ medical information without those patients’ authorization. Accordingly, the complaint sought statutory damages under the CMIA for each class member.

II.Motion for Class Certification

In September 2019, Vigil moved for class certification, appointment of her counsel as class counsel and appointment of herself as class representative. As pertinent here, Vigil contended that the complaint presented questions common to the class regarding whether Muir was negligent in handling class members’ private medical information by failing to comply with its own HIPAA security policies, whether this negligence caused the data breach, and whether Centeno accessed and retained the private medical information without authorization. Vigil supported her motion with her declaration, citations to the depositions of two of Muir's HIPAA security officers and some of the deposition exhibits, including Muir's HIPAA policies, and Muir's discovery responses.

In opposition, Muir argued, among other things, that a CMIA claim requires a showing that the confidential nature of the plaintiff's medical information was breached, and that Sutter Health , supra , 227 Cal.App.4th 1546, 174 Cal.Rptr.3d 653 held that there is no breach of confidentiality under the CMIA unless an unauthorized party has "actually viewed" the information. ( Id . at p. 1550, 174 Cal.Rptr.3d 653.) Thus, according to Muir, individualized issues of fact and law would predominate over the common questions because each putative class member would have to show that an unauthorized person viewed his or her confidential medical information.

In her reply, Vigil asserted that the case could be decided on a class-wide basis because there was evidence that Centeno downloaded, retained, and viewed a patient spreadsheet, and the CMIA does not require a showing that an unauthorized person read each line of medical data. In support, Vigil presented excerpts of the deposition of Janet Kesterson, Centeno's colleague at her current employer, that Vigil contended shows Centeno disclosed to Kesterson patient information she obtained from Muir. Kesterson testified that in March 2018, their employer tasked her and Centeno with traveling to offices to get phone numbers for Medicare members. Centeno told Kesterson there was no need to go to those offices because she had the phone numbers, and she "lifted her phone and just scrolled real fast." Kesterson testified that she could not "decipher what information [Centeno] was scrolling through." She "could just tell it was an Excel spreadsheet."

Following a hearing on the motion, the trial court issued an order denying class certification. The court found that Vigil had conceded that the CRA does not apply to Muir, and thus the "crux" of Vigil's case "rest[ed] on her claim for breach of the Confidentiality of Medical Information Act."³ It further found that the predominance of common questions requirement was not met because under the CMIA, "individualized inquiries would be required to prove Defendant's liability and damages to each of the nearly 5,500 proposed class members." Specifically, it concluded that "[l]iability for each class member is predicated on whether his or her information was actually viewed , which on these facts is not capable of resolution in the aggregate."

Vigil appeals from the order denying class certification.

DISCUSSION

Vigil argues we should reverse the trial court's order because it relied on an erroneous reading of the CMIA in finding a predominance of individual issues. We conclude the trial court did not err in its application of the CMIA, and the class complaint's allegations raise questions regarding breach of confidentiality and causation that necessarily require individualized inquiries regarding many, if not all, of the putative class members. Those individualized issues predominate over common questions of law and fact, and thus we uphold the order denying class certification. (See Linder v. Thrifty Oil Co. (2000) 23 Cal.4th 429, 436, 97 Cal.Rptr.2d 179, 2 P.3d 27 ( Linder ) [" ‘Any valid pertinent reason stated will be sufficient to uphold the order’ "].)

I.Legal Standards

A. The Governing Statutes

The CMIA protects the confidentiality of patients’ medical information.

( Loder v. City of Glendale (1997) 14 Cal.4th 846, 859, 59 Cal.Rptr.2d 696, 927 P.2d 1200.) It does so by prohibiting health care providers from disclosing a patient's medical information without authorization ( § 56.10 ) and imposing a duty on health care providers who create, maintain, or dispose of medical information to do so in a manner that preserves the confidentiality of that information ( § 56.101, subd. (a) ). Subdivision (b) of section 56.36 provides remedies to patients for a health care provider's "release" of confidential medical information in violation of the CMIA. ( § 56.36, subd. (b).)

Here, Vigil alleges Muir violated section 56.101, subdivision (a), thereby invoking the remedy in section 56.36, subdivision (b). Subdivision (a) of section 56.101 provides in full, "Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." ( § 56.101,...