Vigil v. Muir Medical Group IPA CA1/2 ( 2022 )


Menu:
  • Filed 9/26/22 Vigil v. Muir Medical Group IPA CA1/2
    NOT TO BE PUBLISHED IN OFFICIAL REPORTS
    California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions not certified for
    publication or ordered published, except as specified by rule 8.1115(b). This opinion has not been certified for publication or
    ordered published for purposes of rule 8.1115.
    IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA
    FIRST APPELLATE DISTRICT
    DIVISION TWO
    MARIA VIGIL,
    Plaintiff and Appellant,
    A160897
    v.
    MUIR MEDICAL GROUP IPA,                                                (Contra Costa County
    INC.,                                                                  Super. Ct. No. C1801331)
    Defendant and Respondent.
    Maria Vigil filed a class action against Muir Medical Group IPA, Inc.
    (Muir), claiming that it failed to secure patients’ personal information,
    thereby allowing a former employee to download private medical information
    belonging to over 5,000 patients and take it with her when she left her
    employment with Muir. Among other causes of action, the class complaint
    alleges that Muir violated Civil Code 1 sections 56.101 and 56.36,
    subdivision (b), of the Confidentiality of Medical Information Act (CMIA)
    (§ 56 et seq.) by negligently releasing class members’ confidential medical
    information.
    Several months after initiating the action, Vigil filed a motion for class
    certification. The trial court denied the motion, finding as to the CMIA claim
    1    Unless otherwise indicated, all statutory references are to the Civil
    Code.
    1
    that each class member would have to show that the confidential nature of
    his or her medical information had been breached by an unauthorized party,
    as required by Sutter Health v. Superior Court (2014) 
    227 Cal.App.4th 1546
    (Sutter Health), and therefore that common issues would not predominate.
    Vigil appeals, asserting that the trial court relied on an erroneous
    reading of the CMIA and that a breach of confidentiality can be shown on a
    class wide basis. We reject those arguments, and we affirm, concluding that
    the trial court properly applied the CMIA and exercised its discretion in
    denying class certification.
    BACKGROUND
    I.
    The Data Breach and Vigil’s Complaint
    Muir is an independent practice association that consists of primary
    care and specialty care providers that provide medical services to patients
    through the John Muir Health system.
    In May 2018, Ute Burness, Chief Executive Officer of Muir, notified
    certain patients that their personal information may have been involved in a
    data breach that occurred in December 2017. According to Burness, Muir
    discovered in March 2018 that a former employee took with her certain
    information in the possession of Muir before her employment ended with
    Muir (the data breach). The letter stated that Muir conducted an
    investigation, and “there is no evidence to date that your personal
    information has been misused in any way.”2 Vigil was one of the patients
    2  The trial court granted Muir’s motion to file under seal some portions
    of the class certification papers and the supporting evidence. Accordingly, we
    will not divulge the content of the sealed portions of the record (Cal. Rules of
    Court, rule 8.46(b)(1)), which largely concern Muir’s internal investigation of
    2
    who received this notice. Muir later admitted that the former employee,
    Myrissa Centeno, had downloaded copies of information for over 5,400
    patients that included insurance and clinical information.
    In July 2018, Vigil filed a class action complaint asserting causes of
    action for violation of the Customer Records Act (CRA) (§ 1798.80 et seq.),
    violation of the CMIA (§ 56 et seq.), unlawful and unfair business practices
    under the Unfair Competition Law (UCL) (Bus. & Prof. Code, § 17200 et
    seq.), and negligence. The UCL claim was predicated on the statutory and
    negligence claims. The complaint alleged that under the Health Insurance
    Portability and Accountability Act’s (HIPAA) Security Management Process
    standard (
    45 C.F.R. § 164.308
    ), Muir’s employees should not have had access
    to records concerning approximately 5,500 patients without a “compelling”
    reason, nor should they have been able to take sensitive patient information
    with them. The complaint sought compensatory and punitive damages for
    Muir’s alleged negligence in failing to secure plaintiffs’ personal information.
    The complaint also alleged that this negligence violated the CRA.
    The complaint further alleged that Muir violated sections 56.101,
    subdivision (a), and 56.36, subdivision (b), of the CMIA by negligently
    releasing patients’ medical information without those patients’ authorization.
    Accordingly, the complaint sought statutory damages under the CMIA for
    each class member.
    II.
    Motion for Class Certification
    In September 2019, Vigil moved for class certification, appointment of
    her counsel as class counsel and appointment of herself as class
    the data breach and the issue of whether Muir failed to take adequate
    measures to secure patients’ confidential information.
    3
    representative. As pertinent here, Vigil contended that the complaint
    presented questions common to the class regarding whether Muir was
    negligent in handling class members’ private medical information by failing
    to comply with its own HIPAA security policies, whether this negligence
    caused the data breach, and whether Centeno accessed and retained the
    private medical information without authorization. Vigil supported her
    motion with her declaration, citations to the depositions of two of Muir’s
    HIPAA security officers and some of the deposition exhibits, including Muir’s
    HIPAA policies, and Muir’s discovery responses.
    In opposition, Muir argued, among other things, that a CMIA claim
    requires a showing that the confidential nature of the plaintiff’s medical
    information was breached, and that Sutter Health, supra, 
    227 Cal.App.4th 1546
     held that there is no breach of confidentiality under the CMIA unless an
    unauthorized party has “actually viewed” the information. (Id. at p. 1550.)
    Thus, according to Muir, individualized issues of fact and law would
    predominate over the common questions because each putative class member
    would have to show that an unauthorized person viewed his or her
    confidential medical information.
    In her reply, Vigil asserted that the case could be decided on a class-
    wide basis because there was evidence that Centeno downloaded, retained,
    and viewed a patient spreadsheet, and the CMIA does not require a showing
    that an unauthorized person read each line of medical data. In support, Vigil
    presented excerpts of the deposition of Janet Kesterson, Centeno’s colleague
    at her current employer, that Vigil contended shows Centeno disclosed to
    Kesterson patient information she obtained from Muir. Kesterson testified
    that in March 2018, their employer tasked her and Centeno with traveling to
    offices to get phone numbers for Medicare members. Centeno told Kesterson
    4
    there was no need to go to those offices because she had the phone numbers,
    and she “lifted her phone and just scrolled real fast.” Kesterson testified that
    she could not “decipher what information [Centeno] was scrolling through.”
    She “could just tell it was an Excel spreadsheet.”
    Following a hearing on the motion, the trial court issued an order
    denying class certification. The court found that Vigil had conceded that the
    CRA does not apply to Muir, and thus the “crux” of Vigil’s case “rest[ed] on
    her claim for breach of the Confidentiality of Medical Information Act.” 3 It
    further found that the predominance of common questions requirement was
    not met because under the CMIA, “individualized inquiries would be required
    to prove Defendant’s liability and damages to each of the nearly 5,500
    proposed class members.” Specifically, it concluded that “[l]iability for each
    class member is predicated on whether his or her information was actually
    viewed, which on these facts is not capable of resolution in the aggregate.”
    Vigil appeals from the order denying class certification.
    DISCUSSION
    Vigil argues we should reverse the trial court’s order because it relied
    on an erroneous reading of the CMIA in finding a predominance of individual
    issues. We conclude the trial court did not err in its application of the CMIA,
    and the class complaint’s allegations raise questions regarding breach of
    confidentiality and causation that necessarily require individualized
    inquiries regarding many, if not all, of the putative class members. Those
    individualized issues predominate over common questions of law and fact,
    and thus we uphold the order denying class certification. (See Linder v.
    3  On appeal, Vigil does not dispute this finding, and thus for purposes
    of this appeal, we presume the trial court was correct in finding that the CRA
    does not apply here and that this matter turns on the CMIA claim. (See
    Hewlett-Packard Co. v. Oracle Corp. (2021) 
    65 Cal.App.5th 506
    , 563.)
    5
    Thrifty Oil Co. (2000) 
    23 Cal.4th 429
    , 436 (Linder) [“ ‘Any valid pertinent
    reason stated will be sufficient to uphold the order’ ”].)
    I.
    Legal Standards
    A. The Governing Statutes
    The CMIA protects the confidentiality of patients’ medical information.
    (Loder v. City of Glendale (1997) 
    14 Cal.4th 846
    , 859.) It does so by
    prohibiting health care providers from disclosing a patient’s medical
    information without authorization (§ 56.10) and imposing a duty on health
    care providers who create, maintain, or dispose of medical information to do
    so in a manner that preserves the confidentiality of that information
    (§ 56.101, subd. (a)). Subdivision (b) of section 56.36 provides remedies to
    patients for a health care provider’s “release” of confidential medical
    information in violation of the CMIA. (§ 56.36, subd. (b).)
    Here, Vigil alleges Muir violated section 56.101, subdivision (a),
    thereby invoking the remedy in section 56.36, subdivision (b). Subdivision (a)
    of section 56.101 provides in full, “Every provider of health care, health care
    service plan, pharmaceutical company, or contractor who creates, maintains,
    preserves, stores, abandons, destroys, or disposes of medical information
    shall do so in a manner that preserves the confidentiality of the information
    contained therein. Any provider of health care, health care service plan,
    pharmaceutical company, or contractor who negligently creates, maintains,
    preserves, stores, abandons, destroys, or disposes of medical information
    shall be subject to the remedies and penalties provided under subdivisions (b)
    and (c) of Section 56.36.” (§ 56.101, subd. (a).)
    Section 56.36, subdivision (b), provides, in turn, “In addition to any
    other remedies available at law, any individual may bring an action against
    6
    any person or entity who has negligently released confidential information or
    records concerning him or her in violation of this part, for either or both of
    the following: [¶] (1) Except as provided in subdivision (e), nominal damages
    of one thousand dollars ($1,000). In order to recover under this paragraph, it
    is not necessary that the plaintiff suffered or was threatened with actual
    damages. [¶] (2) The amount of actual damages, if any, sustained by the
    patient.”
    B. The Case Law Interpreting Sections 56.36 and 56.101 of the
    CMIA
    Sutter Health, supra, 
    227 Cal.App.4th 1546
     and its predecessor,
    Regents of University of California v. Superior Court (2013) 
    220 Cal.App.4th 549
     (Regents), are central to the parties’ arguments in this appeal. Those
    cases address some of the requirements of a CMIA claim under
    sections 56.101, subdivision (a), and 56.36, subdivision (b), and hold that one
    such requirement is a breach of the confidentiality of the plaintiff’s medical
    information.
    In Regents, a thief stole an external hard drive and a card containing
    the hard drive’s encryption password from the home of a physician working
    within the Regents health care system. (Regents, supra, 220 Cal.App.4th at
    p. 554.) The plaintiff, whose medical information was on the hard drive along
    with the medical information of more than 16,000 other patients, filed a
    complaint asserting a violation of the CMIA and seeking nominal damages
    for herself and for each of the more than 16,000 patients. (Regents, at
    pp. 554–555.) The complaint alleged that Regents failed to exercise due care
    to prevent the release or disclosure of the medical information, “ ‘and as a
    result it negligently lost possession of the hard drive and encryption
    passwords.’ ” (Id. at p. 555.) Regents demurred to the complaint, and the
    trial court overruled the demurrer. (Id. at pp. 555–556.) Regents sought a
    7
    writ of mandate requiring the trial court to sustain the demurrer, and the
    appellate court granted review of the trial court’s ruling. (Id. at pp. 557, 571.)
    On review, the court first noted that the parties did not dispute that
    the plaintiff had adequately alleged a violation of the duty imposed on
    Regents by section 56.101, subdivision (a), “to maintain and store medical
    information in a manner that preserves the confidentiality of that
    information.” (Regents, supra, 220 Cal.App.4th at p. 560.) The court thus
    framed the issue before it as “the nature of [the remedy in section 56.36,
    subdivision (b)] as applied to the negligent maintenance or storage of medical
    information.” (Ibid.) That section and the elements of the cause of action it
    creates, the court held, are incorporated by reference into section 56.101 and
    require a “release” of confidential information. (Regents, at pp. 561–562,
    564.) Regents argued that the term “release” in section 56.36 was
    synonymous with “disclose” in section 56.10, subdivision (a), which requires a
    showing of an “affirmative communicative act” by the healthcare provider.
    (Regents, at p. 564.) The court disagreed, finding that under the common or
    ordinary dictionary meanings of those terms, “disclose” is an active verb,
    while “release” is broader and can include passive conduct. (Ibid.) It
    concluded, “a health care provider who has negligently maintained
    confidential medical information and thereby allowed it to be accessed by an
    unauthorized third person—that is, permitted it to escape or spread from its
    normal place of storage—may have negligently released the information
    within the meaning of CMIA.” (Id. at p. 565.)
    The Regents court went on to hold, however, that even under this broad
    interpretation of “release,” pleading loss of possession was insufficient to
    state a cause of action under sections 56.101, subdivision (a), and 56.36,
    subdivision (b), for negligent maintenance or storage of confidential medical
    8
    information. (Regents, supra, 220 Cal.App.4th at pp. 569–570.) “What is
    required is pleading, and ultimately proving, that the confidential nature of
    the plaintiff’s medical information was breached as a result of the health care
    provider’s negligence.” (Id. at p. 570.) The court noted in a footnote that
    section 56.101 allows a health care provider to dispose of, and therefore lose
    possession of, confidential medical records so long as the confidentiality of the
    records is preserved. (Regents, at p. 570, fn. 14.) In the case before it, no one
    knew what happened to the hard drive other than the thief that stole it, and
    thus the court concluded the plaintiff could not allege that her medical
    records “were, in fact, viewed by an unauthorized individual.” (Id. at p. 570.)
    All she alleged was that Regents negligently lost possession of the medical
    information. (Ibid.) Accordingly, the court issued a writ of mandate directing
    the trial court to vacate its order overruling Regents’ demurrer and to enter a
    new order sustaining the demurrer without leave to amend. (Id. at p. 571.)
    The Third District decided Sutter Health the following year. Sutter
    Health involved a stolen desktop computer. (Sutter Health, supra,
    227 Cal.App.4th at p. 1552.) Stored on the computer’s hard drive were the
    medical records of more than four million patients in password-protected but
    unencrypted format. (Ibid.) The plaintiffs filed a complaint asserting
    violations of the CMIA. (Sutter Health, at p. 1552.) The defendant health
    care provider demurred, arguing the complaint did not state a claim under
    the CMIA because it did not allege that any unauthorized person had viewed
    the stolen medical information. (Sutter Health, at p. 1552.) The trial court
    overruled the demurrer, concluding the complaint sufficiently alleged a cause
    of action for breach of the CMIA. (Sutter Health, at p. 1552.) On a petition
    for writ of mandate challenging the order overruling the defendant’s
    demurrer, the Court of Appeal agreed with Regents that the plaintiffs must
    9
    plead and prove a breach of confidentiality, and it clarified that “[n]o breach
    of confidentiality takes place until an unauthorized person views the medical
    information.” (Sutter Health, at pp. 1553, 1555, 1557.)
    The Third District arrived at this conclusion differently from the
    Second District, however. (Sutter Health, supra, 227 Cal.App.4th at p. 1555.)
    Unlike the Regents court, the Sutter Health court found that the duty of
    confidentiality imposed on health care providers by section 56.101 was not
    violated without an actual confidentiality breach, and that there was no need
    to consider the remedy provided in section 56.36 until such a violation
    occurred. (Sutter Health, at p. 1555.) The Third District relied on the first
    sentence of subdivision (a) of section 56.101—“ ‘Every provider of health
    care . . . who creates, maintains, preserves, stores, abandons, destroys, or
    disposes of medical information shall do so in a manner that preserves the
    confidentiality of the information contained therein.’ ” (Sutter Health, at
    p. 1556.) This language, the court opined, “makes it clear that preserving the
    confidentiality of the medical information, not necessarily preventing others
    from gaining possession of the paper-based or electronic information itself, is
    the focus of the legislation. Therefore, if the confidentiality is not breached,
    the statute is not violated.” (Ibid.) The first sentence of that subdivision
    “allows for change of possession as long as confidentiality is preserved.”
    (Ibid.) The court further reasoned that “[n]o breach of confidentiality takes
    place until an unauthorized person views the medical information,” because
    “[i]t is the medical information, not the physical record (whether in electronic,
    paper, or other form), that is the focus of the Confidentiality Act.” (Id. at
    p. 1557.)
    The court noted that the second sentence of section 56.101,
    subdivision (a), does not repeat the language in the first sentence imposing a
    10
    duty of confidentiality on the health care provider but this did not change its
    analysis because the second sentence makes the health care provider liable
    for negligence. (Sutter Health, supra, 227 Cal.App.4th at pp. 1557–1558.)
    Applying general negligence principles, the court found that “[t]he duty is to
    preserve confidentiality, and a breach of confidentiality is the injury
    protected against.” (Id. at p. 1558.) “Without an actual confidentiality
    breach there is no injury and therefore no negligence under section 56.101.”
    (Ibid.)
    The court concluded the defendant did not violate section 56.101
    because the plaintiffs had not alleged that their information was viewed.
    (Sutter Health, supra, 227 Cal.App.4th at p. 1559.) Accordingly, the court
    found that there was no reason to look to section 56.36 since it provides
    remedies only when a health care provider “ ‘has negligently released
    confidential information or records concerning [the plaintiff] in violation of
    this part . . . .’ ” (Sutter Health, at p. 1558.)
    Although Regents and Sutter Health were decided at the pleading
    stage, both hold that a breach of confidentiality under sections 56.101,
    subdivision (a) and 56.36, subdivision (b) requires more than a showing that
    the health care provider negligently maintained or stored confidential
    information and lost possession of the information because of its negligence.
    The interpretation of the CMIA in this case arises not on writ review of
    a demurrer ruling but on appeal from a ruling denying class certification. We
    turn, therefore, to the standards for class certification.
    C. Class Certification Standards and Standards of Review
    To properly allege a class, Vigil must “demonstrate the existence of an
    ascertainable and sufficiently numerous class, a well-defined community of
    11
    interest, and substantial benefits from certification that render proceeding as
    a class superior to the alternatives.” (Brinker Restaurant Corp. v. Superior
    Court (2012) 
    53 Cal.4th 1004
    , 1021 (Brinker).) Community of interest, or
    commonality, encompasses three factors, including “ ‘predominant common
    questions of law or fact.’ ” (Linder, 
    supra,
     23 Cal.4th at p. 435.) “To establish
    the requisite community of interest, the proponent of certification must show,
    inter alia, that questions of law or fact common to the class predominate over
    the questions affecting the individual members . . . .” (Washington Mutual
    Bank, FA v. Superior Court (2001) 
    24 Cal.4th 906
    , 913.)
    The denial of class certification to an entire class is an appealable
    order. (Linder, 
    supra,
     23 Cal.4th at p. 435.) We review a ruling on class
    certification for abuse of discretion. (Brinker, 
    supra,
     53 Cal.4th at pp. 1017,
    1022.) A trial court ruling supported by substantial evidence will not be
    disturbed unless it rests on improper criteria or erroneous legal assumptions.
    (Sav-On Drug Stores, Inc. v. Superior Court (2004) 
    34 Cal.4th 319
    , 326–327.)
    We review de novo issues of statutory construction. (Regents, supra,
    220 Cal.App.4th at p. 558.)
    II.
    Analysis
    A. The Trial Court Did Not Err in Its Interpretation of the
    CMIA.
    This class action is predicated on Muir’s alleged negligence in
    maintaining and releasing confidential information in violation of
    sections 56.101, subdivision (a), and 56.36, subdivision (b), and thus Vigil and
    the putative class members must plead and prove that “the confidential
    nature of the plaintiff’s medical information was breached as a result of the
    health care provider’s negligence.” (Regents, supra, 220 Cal.App.4th at
    p. 570.) Vigil appears to agree that Muir has not violated sections 56.101,
    12
    subdivision (a), and 56.36, subdivision (b), unless there is a breach of
    confidentiality. The parties dispute, however, what this showing entails and
    whether it is an individualized showing.
    1. The Court Correctly Determined That a Breach of
    Confidentiality Requires an Unauthorized Person to Have
    “Actually Viewed” the Confidential Medical Information.
    Vigil first argues that under Regents, confidential information that is
    “viewed, published, accessed, downloaded, copied, or otherwise ‘permitted[] to
    escape from its normal place of storage’ ” is “released” within the meaning of
    section 56.36, subdivision (b), and that a plaintiff need only show that the
    health care provider negligently “released” the confidential medical
    information to establish a claim under sections 56.36, subdivision (b), and
    56.101, subdivision (a). She asserts that Sutter Health wrongly narrowed the
    Regents standard for a negligent release claim by requiring a showing that an
    unauthorized party “actually viewed” the confidential medical information to
    prove a breach of confidentiality.
    Based on the statute’s plain language, we agree with Sutter Health that
    a breach of confidentiality under the CMIA requires a showing that an
    unauthorized party viewed the confidential information. The CMIA does not
    define the term “confidential,” but the ordinary meaning of the word supports
    Sutter Health’s “viewed” requirement. (Angelucci v. Century Supper Club
    (2007) 
    41 Cal.4th 160
    , 168 [“In interpreting a statute, we first consider its
    words, giving them their ordinary meaning and construing them in a manner
    consistent with their context and the apparent purpose of the legislation”].)
    The common or ordinary dictionary definition of “confidential” is “private” or
    “secret.” (See, e.g., Black’s Law Dict. (11th ed. 2019) p. 373, col. 1 [“meant to
    be kept secret]; Webster’s Third New International Dict. (1961) p. 158, col. 1
    [“private, secret”].) Thus, under the ordinary meaning of “confidential,” the
    13
    confidential nature of information is not breached unless the information is
    reviewed by unauthorized parties. This construction is consistent with the
    purpose of the CMIA to protect patients’ privacy. (See Brown v. Mortensen
    (2011) 
    51 Cal.4th 1052
    , 1071 [“[T]he interest protected by [the CMIA] is an
    interest in informational privacy”].)
    Moreover, we also agree with Sutter Health’s reasoning that
    section 56.101, subdivision (a), which allows a health care provider to
    “dispose” of or “abandon” medical information so long as the confidentiality of
    that information is preserved, indicates the Legislature did not intend to
    “impose[] liability if the health care provider simply loses possession of the
    medical records.” (Sutter Health, supra, 227 Cal.App.4th at p. 1556.) A
    breach of confidentiality thus entails more than mere loss of possession and
    does not “take[] place until an unauthorized person views the medical
    information.” (Id. at p. 1557.)4
    Vigil presents no basis for departing from Sutter Health. We disagree
    that Sutter Health “narrow[ed]” Regents by requiring more than mere loss of
    possession of medical records to establish a breach of confidentiality. After
    noting that the plaintiff could not “allege her medical records were, in fact,
    viewed by an unauthorized individual,” the Second District held her pleading
    was “deficient” because it amounted to no “more than an allegation of loss of
    possession by the health care provider.” (Regents, supra, 220 Cal.App.4th at
    p. 570.)
    4 Indeed, as the court in Regents stated, loss of possession is not
    necessarily required. “[A] breach of confidentiality, of course, can occur
    whether or not the information remains in the actual possession of the health
    care provider.” (Regents, supra, 220 Cal.App.4th at p. 570, fn. 14.) It is an
    unauthorized person’s viewing and/or use of another’s medical records that
    violates the latter’s interest in privacy of the information they contain.
    14
    Vigil relies on Regents’ plain meaning construction of the term
    “release”—“permit[ting] [the confidential information] to escape or spread
    from its normal place of storage” and “allow[ing] it to be accessed” by an
    unauthorized party—as support for her argument. However, Regents does
    not stand for the proposition that mere loss of possession is sufficient on its
    own to prove a breach of confidentiality under sections 56.101,
    subdivision (a), and 56.36, subdivision (b). The Regents court opined that
    providing an unauthorized party access to confidential information “may”
    support a negligent release claim under the CMIA. (Regents, supra,
    220 Cal.App.4th at p. 565.) But Regents expressly held that mere loss of
    possession was insufficient to establish a “release,” even under a “broad
    interpretation” of that term. (Id. at p. 570.) By “release” in section 56.36,
    subdivision (b) “as incorporated into section 56.101,” the Legislature intended
    “more than an allegation of loss of possession by the health care provider is
    necessary to state a cause of action for negligent maintenance or storage of
    confidential medical information.” (Regents, at p. 570.)
    Vigil points to other sections of the CMIA that use the term “release” as
    support for her argument that the Legislature intended section 56.36,
    subdivision (b), to refer to the actions of the custodian in “surrendering” or
    “mak[ing] available” private medical information to third parties. But those
    sections set forth the circumstances in which a health care provider may
    release medical information to the patient or to third parties; they do not
    impose liability on the health care provider for its “negligence.” (Compare
    § 56.101, subd. (a) with §§ 56.11, 56.104, 56.07.) Muir, on the other hand,
    contends that the Legislature’s use of the word “negligently” in
    sections 56.101 and 56.36 supports the conclusion in Regents and Sutter
    15
    Health that a breach of confidentiality under the CMIA requires more than a
    release of confidential information. We agree.
    “ ‘The fundamental purpose of statutory construction is to ascertain the
    intent of the lawmakers so as to effectuate the purpose of the law.’ ”
    (Realmuto v. Gagnard (2003) 
    110 Cal.App.4th 193
    , 199.) As Sutter Health
    appears to have recognized in its application of general negligence principles
    (Sutter Health, supra, 227 Cal.App.4th at pp. 1557–1558), when the
    Legislature couches its enactment in common law language, we presume that
    it intended to carry over such rules as were part of the common law into
    statutory form. (Presbyterian Camp & Conference Centers, Inc. v. Superior
    Court (2021) 
    12 Cal.5th 493
    , 503 (Presbyterian Camp).) The essential
    elements of common law negligence are “the existence of a duty to use due
    care toward an interest of another that enjoys legal protection against
    unintentional invasion” (Bily v. Arthur Young & Co. (1992) 
    3 Cal.4th 370
    ,
    397), breach of that duty, injury, and causation (Dixon v. City of Livermore
    (2005) 
    127 Cal.App.4th 32
    , 42).
    Vigil’s interpretation of sections 56.36 and 56.101 conflicts with the
    presumption that the Legislature intended to incorporate those common law
    negligence principles. Imposing liability on a health care provider for the
    release of confidential information without a showing that an unauthorized
    party viewed the information would eliminate the injury and causation
    elements of negligence. “[T]he interest protected by [the CMIA] is an interest
    in informational privacy.” (Brown v. Mortensen, 
    supra,
     51 Cal.4th at p. 1071;
    see also Sutter Health, supra, 227 Cal.App.4th at p. 1558 [“a breach of
    confidentiality is the injury protected against” by the CMIA].) Although
    sections 56.101 and 56.36 do not expressly state that a health care provider is
    liable only if its negligence caused a breach of confidentiality, it would be
    16
    inappropriate to read the causation and injury elements out of those sections,
    absent a clear expression by the Legislature of the intent to abrogate this
    common law. (See Presbyterian Camp, supra, 12 Cal.5th at p. 503.) No such
    intent appears here.
    Vigil contends Sutter’s reliance on the “duty of confidential[ity] that
    pervades CMIA” is misplaced because some courts have recognized that a
    breach of confidentiality can occur when the information is merely “disclosed”
    or “disseminated,” regardless of whether unauthorized parties viewed the
    information. But the cases Vigil cites as support for this argument do not
    address the CMIA and are inapposite. None stand for the proposition that
    confidentiality is automatically breached whenever the confidential
    information is disseminated to unauthorized parties.
    In U.S. Dept. of Justice v. Landano (1993) 
    508 U.S. 165
    , cited by Vigil,
    the court addressed the meaning of “confidential source” as used in an
    exemption from disclosure under the federal Freedom of Information Act
    (FOIA) for records compiled by criminal law enforcement authorities in the
    course of a criminal investigation. (Landano, at p. 167.) The exemption
    applies if the release of criminal investigation records “ ‘could reasonably be
    expected to disclose’ the identity of, or information provided by, a
    ‘confidential source.’ ” (Ibid.) In rejecting the defendant’s argument “that a
    source is ‘confidential’ for purposes of [the exemption] only if the source can
    be assured, explicitly or implicitly, that the source’s cooperation with the
    Bureau will be disclosed to no one,” the court concluded “this cannot have
    been Congress’ intent.” (Id. at p. 171.) To read “confidential source” as
    meaning one given “[a] promise of complete secrecy” would mean “the FBI
    agent receiving the source’s information could not share it even with other
    FBI personnel” and the information “would be of little use to the Bureau.”
    17
    (Id. at p. 173.) The court’s practical construction of the phrase “confidential
    source” in the context of the exemption from FOIA sheds no light on the
    nature of the CMIA’s breach of confidentiality element.
    Similarly inapposite is Berkeley Police Assn. v. City of Berkeley (2008)
    
    167 Cal.App.4th 385
     (Berkeley Police Assn.), in which the court held that
    interpreting a local ordinance to permit public hearings on citizen complaints
    against a police officer would conflict with provisions of the Police Officers
    Bill of Rights (POBRA) because it would result in disclosure of police
    personnel records those provisions required to be kept confidential. (Berkeley
    Police Assn., at pp. 404–405.) The court’s discussion of which records were
    confidential within the meaning of POBRA, which focused on earlier
    California Supreme Court authority interpreting the scope of POBRA’s
    confidentiality provision and on the specific text of the relevant POBRA
    provisions (Berkeley Police Assn., at pp. 395–402), likewise has no bearing on
    the meaning of the CMIA’s language regarding health care providers’ liability
    for breach of confidentiality.
    The third case cited by Vigil, Culinary Foods, Inc. v. Raychem Corp.
    (N.D.Ill. 1993) 
    151 F.R.D. 297
    , addressed the request of plaintiff, Culinary,
    for a protective order for certain materials it sought to discover from
    Raychem and Raychem’s request for a more restrictive order. The parties
    disputed whether Culinary could disseminate materials determined to be
    confidential to litigants and attorneys involved in similar actions against
    Raychem. (Id. at p. 306.) The court declined to allow such dissemination
    because it “would unduly raise the risk that Raychem’s competitors will
    obtain access to this confidential information” and “make enforcement of this
    protective order overly burdensome to Raychem,” as “evidenced by the fact
    that third parties have in fact received information in violation of protective
    18
    orders issued by other courts.” (Id. at p. 307.) Insofar as Vigil’s point in
    citing Culinary Foods is that allowing unauthorized access to confidential
    information can increase the risk that someone will view and/or make use
    that information, that is no doubt true. However, it does not answer the
    question of whether the Legislature, in adopting sections 56.36 and 56.101,
    intended to impose liability in situations where no actual invasion of the
    plaintiff’s privacy occurs. Moreover, the Sutter Health court recognized that
    the change of possession of confidential information increases the risk of a
    confidentiality breach, but nonetheless held that the CMIA “does not provide
    for liability for increasing the risk of a confidentiality breach.” (Sutter
    Health, supra, 227 Cal.App.4th at p. 1557.)
    Vigil also asserts that a plaintiff would only have to show that an
    unauthorized party “downloaded” or “copied” confidential medical
    information to establish a claim under sections 56.36, subdivision (b), and
    56.101, subdivision (a). However, she fails to present any cogent argument or
    legal authority in support of this conclusion in her opening brief. 5 In any
    5 In her reply, Vigil cites for the first time a federal case in support of
    her argument that a breach of confidentiality occurred when Centeno
    downloaded the patient spreadsheet and saved it to her personal phone or
    email account. Even assuming Vigil has not forfeited this argument (see
    Paulus v. Bob Lynch Ford, Inc. (2006) 
    139 Cal.App.4th 659
    , 685), that case is
    distinguishable because the plaintiff’s claims arose from defendants’ breach
    of contractual, not statutory, duties. (Allergan, Inc. v. Merz Pharmaceuticals,
    LLC (C.D.Cal., March 9, 2012, No. SACV 11-446 AG (Ex)) 
    2012 WL 781705
    ,
    at p. *11.)
    In her reply, Vigil also attempts to factually distinguish this case from
    Sutter Health based on evidence indicating that Centeno was aware of the
    contents of the patient spreadsheet and of its value to her new employer, that
    she downloaded it and retained it after her termination from Muir, and that
    she offered to provide the spreadsheet to her new employer. She fails to
    explain, however, why those facts show Sutter Health was wrongly decided.
    19
    event, a party that downloads or copies electronic files, as Centeno allegedly
    did in this case, does not necessarily breach confidentiality if the party has
    not actually viewed the confidential information included in the file. “It is
    the medical information, not the physical record (whether in electronic,
    paper, or other form), that is the focus of the Confidentiality Act).” (Sutter
    Health, supra, 227 Cal.App.4th at p. 1557.)
    Finally, Vigil argues that the rule of Sutter Health will lead to
    unintended or absurd results. But interpreting sections 56.101 and 56.36 to
    impose liability on health care providers for the “release” of confidential
    information would expose health care providers to liability whenever an
    unauthorized party gains possession of the information, regardless of
    whether confidentiality was breached. On this issue, the Sutter Health court
    presented the example of a thief grabbing a computer containing medical
    information on four million patients and then wiping the hard drive without
    viewing the information. (Sutter Health, supra, 227 Cal.App.4th at p. 1558.)
    In that situation, the health care provider would be liable for at least $4
    billion if we were to interpret section 56.101 as providing nominal damages to
    every person whose medical information came into the possession of an
    unauthorized person. (Ibid.) We do not believe the Legislature intended
    such an extreme result. By contrast, the CMIA’s purpose of protecting the
    confidentiality of private medical information is preserved by interpreting
    those sections as requiring a showing that the confidentiality of the
    information was breached because of the health care provider’s negligence.
    Vigil cites Stasi v. Inmediata Health Grp. Corp. (S.D.Cal. 2020)
    
    501 F.Supp.3d 898
     (Stasi) as support for her argument. There, the defendant
    posted confidential medical information on the internet, “making it
    searchable, findable, viewable, printable, copiable, and downloadable by
    20
    anyone in the world with an internet connection.” (Id. at p. 924.) Vigil
    argues that under “any conceivable standard,” the confidentiality of the
    information at issue in that case was destroyed once it was published online,
    while that would not be the case under Sutter Health if the plaintiffs could
    not prove that an unauthorized party viewed their information. What she
    ignores is that the court in Stasi upheld Sutter Health’s “viewed”
    requirement. (Stasi, at p. 923.) There, on appeal from a motion to dismiss
    for failure to state a claim, the court found that the complaint’s allegations
    gave rise to a reasonable inference that “someone” viewed the confidential
    information since it was accessible “by anyone in the world with an internet
    connection.” (Id. at p. 924.) Thus, Stasi does not support Vigil’s argument.
    We therefore conclude the trial court correctly determined that a
    breach of confidentiality under sections 56.36, subdivision (b), and 56.101,
    subdivision (a), requires a showing that an unauthorized party viewed the
    confidential information at issue.
    2. Vigil Has Not Shown That a Breach of Confidentiality Can
    Be Established on a Class-Wide Basis.
    Vigil next challenges the trial court’s finding that each class member
    would have to prove that his or her medical information was viewed by an
    unauthorized party. She argues that such a requirement cannot be found in
    section 56.36, Sutter Health or Regents. Instead, she claims, Regents shows
    that Vigil would not have to prove that Centeno read any of the information
    contained within the patient spreadsheet; her ability to access the
    information is sufficient under the CMIA. But, as previously discussed, the
    mere ability of an unauthorized party to access information cannot support a
    claim under sections 56.101, subdivision (a), and 56.36, subdivision (b). Vigil
    further contends that under Sutter Health, she need only show that Centeno
    21
    viewed the confidential records and not individual data entries. Muir
    disagrees, arguing that whether a breach of confidentiality under the CMIA
    occurred is an inherently individualized inquiry.
    We agree that a breach of confidentiality under the CMIA is an
    individualized issue. Regents recognized that sections 56.36, subdivision (b),
    and 56.101, subdivision (a), provide a private cause of action for individual
    patients. This private cause of action, like the right of privacy, “ ‘ “is purely a
    personal one.” ’ ” (Regents, supra, 220 Cal.App.4th at p. 563 & fn. 6.) “The
    remedy provided in subdivision (b) [of section 56.36] is the right of an
    individual whose confidential information has been released in violation of
    CMIA to bring a private cause of action for nominal and/or actual damages.”
    (Id. at p. 561.) For a negligent maintenance claim under section 56.101,
    subdivision(a), there is no “release[] . . . in violation of [the CMIA]” if there is
    no breach of confidentiality. (§§ 56.36, subd. (b), 56.101, subd. (a).)
    Accordingly, the individual bringing a private cause of action under those
    sections must establish that the confidential nature of his or her information
    was breached because of the health care provider’s negligence. (See Regents,
    at p. 570.)
    Contrary to Vigil’s assertion in her opening brief, Sutter Health does
    not stand for the proposition that under the CMIA, a plaintiff need only show
    that an unauthorized party viewed some of the confidential information
    included in a medical record, regardless of whether the information viewed
    concerned the plaintiff. Sutter Health did not address this precise issue,
    which Vigil concedes in her reply.
    Vigil contends that because a negligent release claim leads to lesser
    penalties under subdivision (b) of section 56.36 than an intentional release
    22
    claim under subdivision (c) of that section,6 a negligent release claim requires
    a correspondingly less stringent evidentiary standard. But the legislative
    history she cites as support for this argument suggests that the purpose of
    the penalties under that section is deterrence, which in turn indicates that
    the increased penalties were intended to correspond with the increased
    culpability of the person or entity that discloses or uses medical information
    in violation of the CMIA. (See Assem. Com. on Judiciary, Analysis of Sen.
    Bill No. 19 (1999-2000 Reg. Sess.) July 13, 1999, p. 9 [“While the new civil
    penalties in the bill appropriately apply to ‘knowing and willful’ violations,
    the author believes that lesser penalties for negligent conduct that leads to
    an unauthorized disclosure should also be included in order to deter those
    releases as well”].) There is nothing in this history that suggests a negligent
    release claim does not require an individualized showing for the breach of
    confidentiality element.
    Vigil argues for the first time in her reply that based on the plain
    language of section 56.36, subdivision (b), each class member would only have
    to prove that the medical records negligently released by the health care
    provider concerned them. Even assuming she has not forfeited this argument
    (Paulus v. Bob Lynch Ford, Inc., 
    supra,
     139 Cal.App.4th at p. 685), it lacks
    merit. Section 56.36, subdivision (b), provides that the medical records or
    information must have been “negligently released . . . in violation of this
    part.” (§ 56.36, subd. (b).) As mentioned, there is no “release[] . . . in
    6 Subdivision (c) of section 56.36 sets forth administrative fines and
    penalties to be imposed on a person or entity that uses or discloses medical
    information in violation of the CMIA. The amount of the fines and penalties
    increase when the use or disclosure is knowing and willful instead of
    negligent. (§ 56.36, subd. (c).)
    23
    violation of” section 56.101, subdivision (a), if the confidential nature of the
    information was not breached. (§§ 56.36, subd. (b), 56.101, subd. (a).)
    Accordingly, we conclude that each class member would have to show
    that his or her medical information was viewed by an unauthorized party to
    recover under the CMIA.
    B. The Trial Court Did Not Abuse Its Discretion in Finding a
    Predominance of Individual Issues.
    Since Vigil has not shown that a breach of confidentiality can be
    established on a class wide basis, the question then is whether the common
    questions predominate over those individualized questions.
    The key inquiry in determining whether the predominance
    requirement has been met is whether “the issues which may be jointly tried,
    when compared with those requiring separate adjudication, must be
    sufficiently numerous and substantial to make the class action advantageous
    to the judicial process and to the litigants.” (City of San Jose v. Superior
    Court (1974) 
    12 Cal.3d 447
    , 460.) “Presented with a class certification
    motion, a trial court must examine the plaintiff’s theory of recovery, assess
    the nature of the legal and factual disputes likely to be presented, and decide
    whether individual or common issues predominate.” (Brinker, 
    supra,
    53 Cal.4th at p. 1025; see also Ayala v. Antelope Valley Newspapers, Inc.
    (2014) 
    59 Cal.4th 522
    , 530 [the question at the class certification stage is
    “whether the operative legal principles, as applied to the facts of the case,
    render the claims susceptible to resolution on a common basis”].)
    “ ‘As a general rule if the defendant’s liability can be determined by
    facts common to all members of the class, a class will be certified even if the
    members must individually prove their damages.’ ” (Brinker, 
    supra,
    53 Cal.4th at p. 1022.) However, “class treatment is not appropriate ‘if every
    24
    member of the alleged class would be required to litigate numerous and
    substantial questions determining his individual right to recover following
    the “class judgment” ’ on common issues.” (Duran v. U.S. Bank National
    Assn. (2014) 
    59 Cal.4th 1
    , 28.) “ ‘Only in an extraordinary situation would a
    class action be justified where, subsequent to the class judgment, the
    members would be required to individually prove not only damages but also
    liability.’ ” (Id. at p. 30.) Here, based in part on Sutter Health’s “viewed”
    requirement, the trial court found that class treatment was not warranted
    because individualized inquiries would be required to prove Muir’s liability
    and damages for each of the nearly 5,500 putative class members.
    In challenging the trial court’s determination, Vigil contends there are
    common questions regarding whether Centeno had unauthorized access to
    the patient spreadsheet and whether Muir was negligent in protecting that
    document. The evidence she presented on those issues below consists of the
    depositions of two of Muir’s HIPAA security officers, a report from the
    investigation of the data breach, and Muir’s policies. Based on this evidence,
    the question whether Muir failed to use due care in maintaining patients’
    private medical information is a significant issue susceptible to common
    proof. However, Vigil’s burden “is not merely to show that some common
    issues exist, but rather, to place substantial evidence in the record that
    common issues predominate.” (Lockheed Martin Corp. v. Superior Court
    (2003) 
    29 Cal.4th 1096
    , 1108.)
    On this record, the trial court did not abuse its discretion in concluding
    individual issues would predominate over common issues. The record
    demonstrates that Centeno may have viewed some of the information on the
    patient spreadsheet, but Vigil presented no evidence indicating whose
    information was viewed. There is also no evidence suggesting that other
    25
    unauthorized parties viewed the information in the patient spreadsheet or
    that it was posted or disclosed in a public forum like the information at issue
    in Stasi or in Berkeley Police Assn. Therefore, most, if not all, of the almost
    5,500 potential class members would be unable to maintain their CMIA
    claims against Muir unless they could establish that an unauthorized party
    viewed their confidential medical information and that Muir’s negligence
    caused this breach of confidentiality.
    In our research, we have not found any state cases, and the parties
    have not provided any, that concern the predominance requirement in a
    CMIA case or in a similar data breach action. The few federal cases that
    address CMIA claims, however, suggest that individual questions regarding
    whether a breach of confidentiality occurred and whether the health care
    provider’s negligence caused the breach can be numerous and varied. In In re
    Premera, for example, the defendant was a health care provider that
    maintained patients’ confidential information in a centralized database. (In
    re Premera Blue Cross Customer Data Security Breach Litigation (D.Or. 2016)
    
    198 F.Supp.3d 1183
    , 1188.) In January 2015, it discovered that hackers had
    breached its computer network beginning in May 2014. (Id. at pp. 1189–
    1190.) The plaintiff subsequently filed a complaint for violation of the CMIA,
    which the defendant moved to dismiss. (Premera, at pp. 1190–1191.) The
    court concluded the plaintiff had adequately alleged a CMIA claim because in
    May 2015, she discovered on her credit report an inquiry for a car loan that
    she did not recognize, and her checking account had been fraudulently
    accessed “around the same time period.” (Premera, at p. 1202.)
    Similarly, in Falkenberg, the court determined on a motion to dismiss
    that plaintiffs had adequately alleged a claim for violation of the CMIA after
    a thief stole a password-protected laptop containing plaintiffs’ and other
    26
    patients’ confidential information. (Falkenberg v. Alere Home Monitoring,
    Inc. (N.D.Cal., Feb. 23, 2015, No. 13-cv-00341-JST) 
    2015 WL 800378
    , at
    pp. *1, *3.) The court found that the plaintiffs’ CMIA claim was supported by
    allegations that their confidential medical information was viewed by an
    unauthorized party because they alleged that they gave the defendant that
    information, that they suffered identity theft sometime from three weeks to
    “weeks-and-months” from when the defendant’s laptop containing the
    plaintiffs’ information was stolen, that they had never suffered identity theft
    previously, that they took extra precautions to ensure their information was
    not disclosed to unknown third parties, and that the thieves opened
    fraudulent accounts using the plaintiffs’ social security numbers, information
    that the defendant had and which was “not generally as available as date of
    birth, full name, and address.” (Falkenberg, at p. *3.) The court noted that
    where a plaintiff claims a data breach caused them to be the victim of
    identity theft, there must be a “ ‘nexus’ ” between the alleged identity theft
    and the data breach “ ‘beyond allegations of time and sequence,’ ” and that
    there was such a nexus in that case. (Id. at p. *4.)
    Applying the principles of those cases, the case here would require an
    assessment of each putative class member’s circumstances to determine
    whether his or her information was viewed by an unauthorized party and
    whether the data breach caused this breach of confidentiality. This
    assessment includes questions regarding whether third parties used
    plaintiffs’ information, whether this use was without authorization, the
    timing of this misuse, whether plaintiffs took measures to protect against the
    misuse of their information, whether the information used was involved in
    the data breach, and whether third parties could have obtained this
    information through other means.
    27
    Federal courts have denied class certification in data breach cases
    based on similar inquiries. (See Gardner v. Health Net, Inc. (N.D.Cal.,
    Sept. 13, 2010, No. cv-10-2140) 
    2010 WL 11579028
    , at pp. *4–*5 [class
    treatment not warranted in data breach case where individualized inquiries
    would be required to prove the defendant’s liability for negligence and other
    claims based on the injury and causation elements: “the theft of a potential
    class member’s identity could be the result of any number of causes”];
    McGlenn v. Driveline Retail Merchandising, Inc. (C.D.Ill., Jan. 19, 2021,
    No. 18-cv-2097) 
    2021 WL 165121
    , at pp. *8–*9 [the plaintiff failed to establish
    a predominance of common questions in data breach case involving almost
    16,000 potential class members where the evidence showed that some
    putative class members may have suffered identity theft while others did not,
    and there were individualized issues on causation, given that some members
    were involved in other data breaches].)
    We conclude substantial evidence supports the trial court’s
    determination. On the record before us, each class member’s “right to recover
    depends on facts peculiar to his case.” (City of San Jose v. Superior Court,
    supra, 12 Cal.3d at p. 459; Duran v. U.S. Bank National Assn., supra,
    59 Cal.4th at p. 30.) Although it is only a general rule that a class cannot be
    maintained where liability turns on the facts of individual cases, the
    problems of proof here appear sufficiently pervasive and substantial as to
    support the trial court’s denial of class certification based on the
    predominance of those questions.
    DISPOSITION
    The order is affirmed. Muir shall recover its costs on appeal.
    28
    STEWART, J.
    We concur.
    RICHMAN, Acting P.J.
    MILLER, J.
    Vigil v. Muir Medical Group (A160897)
    29