Doe v. Sutherland Healthcare Solutions CA2/7 ( 2021 )

Filed 12/6/21 Doe v. Sutherland Healthcare Solutions CA2/7
NOT TO BE PUBLISHED IN THE OFFICIAL REPORTS
California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions
not certified for publication or ordered published, except as specified by rule 8.1115(b ). This opinion
has not been certified for publication or ordered published for purposes of rule 8.1115.
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA
SECOND APPELLATE DISTRICT
DIVISION SEVEN
A. DOE et al.,                                                       B297712
Plaintiffs and Appellants,                                  (Los Angeles County
Super. Ct. Nos.
v.                                                          BC539436,
BC539844, BC542556)
SUTHERLAND HEALTHCARE
SOLUTIONS, INC. et al.,
Defendants and Respondents.
APPEAL from a judgment of the Superior Court of
Los Angeles County, Ann I. Jones, Judge. Reversed and
remanded with directions.
Nelson & Fraenkel, Gretchen M. Nelson, Gabriel S.
Barenfeld; Kabateck, Brian Kabateck, Anastasia K. Mazzella;
Genie Harrison Law Firm, Genie Harrison; Righetti Glugoski,
Matthew Righetti; Law Offices of Kevin T. Barnes and Gregg
Lander for Plaintiffs and Appellants.
Baker & Hostetler, Teresa C. Chow, Matthew C. Baisley,
Paul Karlsgodt and Casie Collignon for Defendant and
Respondent Sutherland Healthcare Solutions, Inc.
Jones Day, Daniel J. McLoon, David J. Feder; Office of the
Los Angeles County Counsel, Brian T. Chu and Brandi M. Moore
for Defendant and Respondent County of Los Angeles.
__________________________
Following the theft of eight computers from an office of
Sutherland Healthcare Solutions, Inc., a company that provides
billing and payment processing services to hospitals including
those operated by the County of Los Angeles, six affected
individuals sued Sutherland and the County for violations of the
Confidentiality of Medical Information Act (CMIA) (Civ. Code,
§ 56 et seq.)1 and negligence in a putative class action lawsuit,
alleging their confidential medical and personally identifiable
information had been compromised. Their complaint sought
statutory damages for the CMIA violation, as provided in
sections 56.36, subdivision (b), and 56.101, subdivision (a), and,
as actual damages for negligence, the value of the lost
information and the cost of credit monitoring services and
enhanced security measures undertaken by certain plaintiffs.
The trial court granted Sutherland and the County’s
motion for summary judgment, ruling as to the CMIA claim that
plaintiffs’ circumstantial evidence was insufficient to create a
triable issue that the confidential nature of the plaintiffs’ medical
information had been breached by an unauthorized individual, as
required by the Third District’s decision in Sutter Health v.
1     Statutory references are to this code unless otherwise
stated.
2
Superior Court (2014) 

, 1555 (Sutter Health)
and this court’s decision in Regents of University of California v.
Superior Court (2013) 

, 570 (Regents), and as
to the negligence cause of action that plaintiffs had not presented
evidence they had suffered actual damages or that potentially
cognizable damages had been caused by the theft of the
computers. The court also ruled that plaintiffs had failed to
properly allege the County had violated a mandatory duty
imposed by statute and that the County was immune from
liability for common law negligence.
We reverse the judgment, affirming the order of summary
adjudication as to the CMIA cause of action but reversing as to
the negligence claim. On remand plaintiffs may renew their
motion for leave to amend the complaint, which was denied by
the trial court while the summary judgment motion was pending.
FACTUAL AND PROCEDURAL BACKGROUND
1. The Theft of Sutherland Computers Containing
Confidential Information
a. Sutherland’s data handling practice
For Sutherland to perform its billing and payment
processing services, the County electronically transmitted patient
data to Sutherland, which stored the information on a secure
shared drive. Sutherland employees who worked with the data
emailed documents, including spreadsheets, containing the
personal health and personally identifiable information of
individuals treated at county facilities. The computers at
Sutherland’s Torrance office were configured to save a cache of all
emails sent and received by the computer user. As a result, every
hard drive had a file containing all emails and attachments sent
3
and received at that computer. Some employees also stored
documents on their computers’ hard drive.
The network server at Sutherland’s Torrance office was
encrypted. Access to individual computers required a username
and password, but information stored on those computers was not
encrypted. Although the degree of difficulty was debated by the
parties’ experts, it was undisputed that it was feasible for
someone with the proper skillset to access the data on the
password-protected computers.
b. The burglary
In the evening of February 5, 2014 someone entered
Sutherland’s Torrance office and stole eight desktop computers.
The stolen computers were among nearly 80 in the office and
were spread throughout the 9,000 square foot facility. Six of the
stolen computers were used by higher-level employees. Several of
the individuals whose computers were taken admitted at
deposition that they kept their passwords in a folder on their
hard drives and had downloaded patient medical records and
personally identifiable information onto their hard drives.
The hard drives in the eight stolen desktop computers
contained files that included medical information or personally
identifiable information for more than 340,000 patients at county
health care facilities. Following the theft Sutherland sent
notification letters to more than 300,000 patients.2 Law
2     The notice advised the stolen computers “contained
personal information including your first and last name, Social
Security number, and billing information. In addition, the stolen
computers may have included your date of birth, address,
diagnoses and other medical information.” “Because of the type
of personal information involved,” the notice continued, “we
4
enforcement (the Torrance Police Department, the Los Angeles
Police Department, the FBI and the Secret Service) investigated
the theft and identified several suspects, but no arrests were
made or charges filed. The stolen computers have not been
recovered.
2. The Lawsuits
The first class action lawsuit arising from the February 5,
2014 burglary was filed against Sutherland in March 2014. On
September 25, 2014 three lawsuits were consolidated, and,
pursuant to stipulation, on October 31, 2014 a consolidated
amended class action complaint was filed by Mario Cazarin, John
Galliano, Tanikka Harasim, Oswald Robinson, Tu Kamon and
Damon English against Sutherland and the County, asserting
causes of action for violation of CMIA, negligence and violations
of section 1798.81.5, failure to provide reasonable security
procedures and practices with respect to California residents’
personal information, and section 1798.82, failure to provide
notice regarding a breach of security regarding California
residents’ personal information. Each of the six plaintiffs had
received Sutherland’s notice of the computer thefts.
Following a partially successful demurrer, plaintiffs on
May 11, 2015 filed the operative consolidated second amended
class action complaint, alleging causes of action for violation of
CMIA and negligence against both Sutherland and the County
encourage you to take steps to protect yourself from identity
theft. We are offering credit monitoring services [that] will
include: 12 months of credit monitoring, a $20,000 insurance
reimbursement policy, Healthcare Identity Protection Toolkit™,
exclusive educational materials and access to fraud resolution
representatives.”
5
and violation of section 1798.82 against Sutherland. Plaintiffs
sought actual damages and/or statutory damages for violation of
CMIA and actual damages for the failure to protect their medical
and personally identifiable information in the other two causes of
action.
After another pleading challenge, the court sustained the
demurrer to the cause of action under section 1798.82 with leave
to amend and overruled the demurrer to the CMIA and
negligence claims.3 Plaintiffs did not amend further, and the
section 1798.82 cause of action is not at issue in this appeal.
Sutherland and the County answered the complaint on
October 28, 2015.
3. The Motion for Leave To Amend
In September 2017, approximately five months after
Sutherland and the County moved for summary judgment,
plaintiffs sought leave to amend their complaint to add claims
against Sutherland for breach of contract (as third party
beneficiaries) and for violation of the unfair competition law
(UCL) (Bus. & Prof Code, § 17200 et seq.). In support of their
request plaintiffs argued the new causes of action related to the
same general facts alleged in the operative complaint but added
allegations based on evidence obtained from documents recently
produced by the County and Sutherland, specifically the
contracts between the County and Sutherland and documents
“evidencing the County’s promises to Plaintiffs and Class
members related to the confidentiality of collected patient
3     The court sustained the demurrer as to all of English’s
causes of action against the County based on his failure to file a
timely prelawsuit claim under the Government Claims Act.
6
information which, in large part, form the basis for the
additional causes of action against Sutherland in the Proposed
Third Amended Complaint.”
Sutherland and the County opposed the motion, arguing
plaintiffs had unreasonably delayed in seeking leave to amend,
they would be severely prejudiced if amendment were allowed,
and the proposed amendments were futile. The trial court denied
the motion in a three-page ruling on October 4, 2017, finding the
additional discovery plaintiffs stated had alerted them to the
existence of their new claims “was substantially available—either
as part of the public record or as part of the documents produced
to plaintiffs in 2015—over a year and a half ago.”
The court ruled delay without a valid showing of excuse
was a significant factor in considering a motion for leave to
amend and could be a sufficient reason without more to deny the
motion. In addition, the court found amendment at that point in
the case would significantly prejudice defendants. The court
pointed out that a motion for summary judgment had been filed
by defendants and significant discovery had taken place,
including “a considerable amount of discovery [by plaintiffs] in
order to oppose that motion.” Permitting the amendment would
likely lead to another demurrer and then a new motion for
summary judgment, preceded by additional discovery. “Such a
delay is not only unjustified but would reopen much of the
concluded discovery and significantly impair the case
management plan that has been structured by this court for over
two years. While there is no trial date set, the potentially
dispositive motions are set for early next year. Additional causes
of action would preclude [that] hearing . . . from going forward in
a timely fashion.”
7
Finally, without definitively deciding the issue, the court
indicated skepticism about the merits of at least the contract
claim in light of express language in the pertinent agreements
excluding third party beneficiaries.
4. The Motion for Summary Judgment or, Alternatively,
Summary Adjudication
In April 2017 Sutherland and the County moved for
summary judgment and in January 2018 filed an amended
motion. On the CMIA claim, defendants asserted as to four of the
six plaintiffs there was no medical information contained in the
data that might be accessed from the stolen computers, and as to
two of the plaintiffs the stored medical information was not
private or confidential because their conditions were publicly
observable. Most significantly, contending it was inherently
speculative to conclude the motivation for the computer theft was
to mine and sell the data the computers may have contained,
Sutherland and the County argued plaintiffs could not prove
confidential medical information on the stolen computers had
been viewed by any unauthorized person, as required by Sutter
Health, supra, 

 and Regents, supra,

 to establish a CMIA claim for the negligent
release of confidential information.
Emphasizing there was no direct evidence that stolen
medical information had been accessed, Sutherland and the
County argued the circumstantial evidence proffered by plaintiffs
(evidence indicating the probable motivation for the burglary was
to steal medical information and one of the named plaintiffs and
others affected by the burglary had reported attempts at identity
theft after the incident), while arguably sufficient to survive a
demurrer, as the trial court had held, was insufficient to create a
8
triable issue of fact on summary judgment. In support
Sutherland and the County submitted a report from
Dr. Marcus K. Rogers, an expert in investigating cybercrimes,
stating, as the lower boundary of the true total, an estimated
7 percent of the United States population 16 years or older is a
victim of identity theft. Using that estimate, 23,709 of the
338,700 patients whose information was contained on the stolen
computers were likely to have been victims of identity theft
unrelated to the Sutherland computer theft. Yet, according to
Sutherland and the County’s expert, there were only eight
reported separate instances of attempted fraud by persons whose
data were contained on the stolen Sutherland systems. The
Sutherland and County expert also opined that, if someone were
to become a victim of financial fraud or identity theft through the
use of information taken from the computer systems, it would be
completely coincidental that medical information pertaining to a
particular individual was viewed, and it would depend on the
proximity of one person’s information to another person’s
information in a particular file.
A second defense expert, Dr. Thomas Holt, opined that,
even if cyber criminals had obtained the data stored on the stolen
computers, the format of the medical information contained in
the local files and the lack of value that cyberhackers attach to
medical information made it unlikely that unauthorized persons
would have viewed, mined, obtained or sold the medical
information. Rather, the personally identifiable information that
was also contained in the local files was far more valuable and far
less time-consuming to mine than the medical information.
As for the negligence claim, Sutherland and the County did
not dispute the allegation Sutherland had failed to act reasonably
9
to protect confidential medical information or personally
identifiable information stored on the stolen desk top computers,
but argued none of the plaintiffs could prove cognizable damages:
“Either they claim no concrete losses at all, or they claim losses
that the law does not recognize as damages.” Only one of the
plaintiffs alleged a specific loss of money (something less than
$60 attributed to an unrecognized credit card charge in 2015),
and he was unable to provide any information that would tie it to
the Sutherland theft. Expenses for credit monitoring services to
mitigate a risk of future harm, Sutherland and the County
argued, were insufficient to qualify as cognizable injury in a
negligence claim; and personal time spent reviewing information
related to the theft did not constitute actual harm. In addition,
they contended, given the prevalence of identity theft resulting
from the many recent large scale data breaches that had occurred
throughout the country, plaintiffs could not prove actual
causation between the several instances of attempted fraud or
identity theft reported by individuals whose information was on
the stolen computers (only one of which involved a named
plaintiff) and the Sutherland burglary.
Finally, the County argued there is no common law
governmental tort liability in California. As such, the County
asserted, it is immune from liability for common law negligence.
5. Plaintiffs’ Opposition and Defendants’ Reply
In their opposition papers plaintiffs argued the stolen data
contained confidential medical information as to all six of them.
As to the four described by defendants as without medical
information in the stolen computers, plaintiffs argued each had
“CPT” (current procedural terminology) codes in his or her data,
alphanumerics assigned to every task and service a medical
10
practitioner may provide a patient, which are used by insurers to
determine reimbursement amounts. A CPT code can be entered
into an internet search engine to determine the procedure and/or
diagnosis and thus constitutes medical information within the
meaning of CMIA, they argued. As to the other two plaintiffs,
plaintiffs disputed the extent to which they openly discussed
their medical conditions and argued the visibility of a condition
alone is insufficient to constitute a waiver of confidentiality of all
medical information about the condition.
As to Sutherland and the County’s primary argument that
plaintiffs could not establish a CMIA violation, plaintiffs insisted
it was a reasonable inference from the circumstantial evidence
that the stolen data had been improperly viewed or otherwise
accessed by unauthorized individuals. First, plaintiffs argued it
was a reasonable inference (not mere speculation) the computers
had been stolen because of the value on the black market of the
data they contained. Plaintiffs provided evidence the estimated
value of the individual computers was between $300 and $500.
(The Torrance Police Department estimated the total value of the
stolen hardware, which included two monitors in addition to the
eight computers, at $4,104.) The medical information and
personally identifiable information were valued at between $10
and $500 per individual patient on the black market.4 In
4     In a declaration submitted with their opposition papers,
plaintiffs’ expert James Van Dyke explained consumers’
personally identifiable information “remains of high value to
identity criminals.” Although he stated costs range from under
$10 to over $400 depending on quality, citing the Identity Theft
Resources Center, he declared, on average, a criminal can
purchase personally identifiable information from another
criminal on the black market for somewhere between 12 and
11
addition, plaintiffs noted that none of the computer cables or
other accessories, except for two monitors, had been taken, nor
were the computers taken closest to the door used to enter the
facility, suggesting it was not the value of the equipment taken
that motivated the thief. They also quoted from the search
warrant affidavit of a district attorney’s office investigator that
the stolen computers were an “ideal source of PII [personally
identifiable information] for the purposes of tax fraud or many
other identity theft or fraud schemes.” The investigator also
opined the computers had been specifically targeted.
Second, plaintiffs provided expert evidence refuting any
suggestion it would be difficult to access unencrypted data on the
stolen computers. Third, plaintiffs pointed to 10 known incidents
of identity fraud or attempted identity theft by individuals
affected by the security breach, including use of social security
numbers to open fraudulent credit accounts, which they described
as “close in time” to the Sutherland breach; and their
cybersecurity expert, Christopher Tarbel, opined, to a reasonable
degree of certainty, that the stolen data had been viewed and
accessed by cybercriminals.
As to the negligence claim, plaintiffs argued they were
entitled to recover the value of the personal information stolen
from them (analogizing to the valuation of stolen access card
account information in criminal cases to determine whether the
theft is a felony or misdemeanor) and contended expenses
incurred for credit monitoring and enhanced home security were
also recoverable. Whether those damages were caused by
16 dollars. He continued, “Estimates for health records range
from $10 to $50 per individual.”
12
Sutherland and the County’s negligence, they asserted, was a
factual issue that was not properly decided on summary
judgment. Finally, as to the County, plaintiffs argued their
negligence claims were based on the County’s breach of its
statutory obligations under CMIA.
Concurrently with their opposition papers plaintiffs filed
numerous (and detailed) evidentiary objections to Sutherland and
the County’s evidence, including to the declarations of Dr. Rogers
and Dr. Holt, the two defense experts.
In their reply memorandum Sutherland and the County
emphasized that only 10 (approximately) of the nearly 400,000
individuals given notice of the theft of the Sutherland computers
had alleged any attempted fraud or identity theft and none of
those reports involved the misuse of medical information.
Plaintiffs’ circumstantial evidence, they argued, was at most
speculation about how the information on the stolen computers
might have been misused. All plaintiffs actually established was
that it was technologically feasible for an unauthorized
individual to break into the computers, the medical and personal
data were more valuable on the black market than the hardware
stolen, and the computers may have been specifically selected by
the thief on some basis other than convenience. Quoting this
court’s Regents decision, they continued, “[T]he only conclusion
supported by the record is that ‘no one (except perhaps the thief)
knows what happened . . . ,’ and therefore Plaintiffs cannot prove
their ‘medical records were, in fact, viewed by an unauthorized
individual.”
13
6. The Court’s Ruling
Following oral argument on December 10, 2018, the court
on December 19, 2018 issued a 14-page ruling, granting
Sutherland and the County’s motion.5 The court first found as to
three of the plaintiffs (Galliano, Harasim and English) there were
no CPT codes or other medical information pertaining to them in
the stolen computers. Accordingly, the court granted the motion
for summary adjudication as to the CMIA cause of action as to
those three plaintiffs. Although there were CPT codes in the data
concerning Kamon, the court agreed with Sutherland and the
County that Kamon had presented no evidence her CPT codes
disclosed confidential medical information. On that basis the
court granted summary adjudication on the CMIA claim against
Kamon.
Accepting Sutherland and the County’s argument that a
visible medical condition precluded a CMIA claim, the court also
granted summary adjudication on that cause of action as to
Cazarin notwithstanding the presence of confidential medical
information concerning him within the data on the stolen
computers.
In addition, as to Cazarin and the sixth plaintiff, Robinson,
the court ruled their contention that anyone had actually viewed
their confidential medical information required “layers of
speculation.” The court wrote, “At best, Plaintiffs have shown a
5     The court overruled all 123 of plaintiffs’ objections to
defendants’ evidence. As to objections 1-59 and 62-90 the court
stated, “These are not objections to specific evidence. Rather,
these are objections to facts set forth in Defendants’ separate
statement.” No other explanation was given for overruling those
objections or for any of the other objections.
14
possibility that the password-protected (albeit unencrypted)
confidential medical information on the stolen computers was
viewed.” But, the court ruled, quoting Sutter Health, supra,
227 Cal.App.4th at page 1558, “that is not the standard.” The
court concluded plaintiffs had not presented evidence from which
a trier of fact could reasonably infer the computers were targeted
for their data. In addition, observing that proof of an actual
breach of confidentiality is required, not merely accessibility of
the data, the court noted that none of the limited incidents of
identity theft (or attempted identity theft) had involved Cazarin
or Robinson and thus did not assist in demonstrating a triable
issue of fact regarding the “actually viewed” element of their
CMIA claim. Accordingly, the court granted the motion for
summary adjudication of the CMIA claim as to Cazarin and
Robinson.
Turning to the negligence claim, the court agreed with
Sutherland and the County that plaintiffs had failed to present
evidence of actual damages. The court rejected the contention
the value of the stolen information is recoverable, pointing out
that section 3336, cited by plaintiffs, pertains to the measure of
damages for conversion, not negligence. The court then
acknowledged that credit monitoring services can constitute
actual damages in an action for failure to protect confidential
personal information, but ruled plaintiffs had failed to show the
required logical and temporal connection between the decision to
purchase those services and the alleged breach, noting there had
been no showing that any suspicious activity related to plaintiffs
involved the type of information contained on the stolen
computers. The court also found plaintiffs’ proof of causation
insufficient to raise a triable issue, explaining that four of the
15
plaintiffs had not been the victims of any attempted fraudulent
activity and the cause of the incidents involving the other two
plaintiffs was “purely speculative.” The court granted summary
adjudication on the negligence claim on both of those grounds.
With regard to the negligence claim against the County,
the court ruled, to the extent based on a violation of a mandatory
duty imposed by CMIA, it was duplicative of the CMIA claim. No
other statute creating a mandatory duty allegedly breached by
the County was properly pleaded in the operative complaint.
Accordingly, summary adjudication on the negligence claim was
granted as to the County for this additional reason.
7. The Motion To Seal Portions of the Ruling
On February 14, 2019, nearly two months after the court’s
ruling granting the motion for summary judgment, plaintiffs filed
an unopposed application to seal portions of the court’s order
referring to “Plaintiffs’ confidential and private medical
information protected by the Court’s Stipulated Protective
Order.” The court granted the motion in part, redacting
information regarding Robinson from the public filing, but
otherwise denied the motion. In its minute order the court
explained, “[W]hile Plaintiffs ‘continue to believe’ that their
medical information is private and confidential [fn. omitted], the
Court agreed with Defendants’ argument that the medical
information of Plaintiffs (except Plaintiff Oswald Robinson) on
the stolen computers was not confidential based on facts
identified on page 5 of its Order. Those facts are critical to the
Court’s ruling, and the right of public access to the basis for the
Court’s ruling prevails.”
Judgment was entered on March 12, 2019. Plaintiffs filed a
timely notice of appeal.
16
DISCUSSION
1. Standard of Review
A motion for summary judgment is properly granted only
when “all the papers submitted show that there is no triable
issue as to any material fact and that the moving party is entitled
to a judgment as a matter of law.” (Code Civ. Proc., § 437c,
subd. (c).) We review a grant of summary judgment de novo
(Samara v. Matar (2018) 

, 338) and, viewing the
evidence in the light most favorable to the nonmoving party
(Regents of University of California v. Superior Court (2018)

, 618), decide independently whether the facts not
subject to triable dispute warrant judgment for the moving party
as a matter of law. (Hampton v. County of San Diego (2015)

, 347; Schachter v. Citigroup, Inc. (2009) 

, 618.) “Circumstantial evidence is just as good as direct
evidence to create a triable issue of fact.” (Hussey-Head v. World
Savings & Loan Assn. (2003) 

, 780.)
2 Governing Law: CMIA
As defined by CMIA, “‘Medical information’ means any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or contractor
regarding a patient’s medical history, mental or physical
condition, or treatment.” (§ 56.05, subd. (j).)6 “This definition
6     Section 56.05, subdivision (j), defines “Individually
identifiable” for purposes of CMIA as meaning that “the medical
information includes or contains any element of personal
identifying information sufficient to allow identification of the
individual, such as the patient’s name, address, electronic mail
address, telephone number, or social security number, or other
17
does not encompass demographic or numeric information that
does not reveal medical history, diagnosis, or care. . . . [¶] . . .
[T]he mere fact that a person may have been a patient at the
hospital at some time is not sufficient.” (Eisenhower Medical
Center v. Superior Court (2014) 

, 435.) In
addition, “[c]onfirmation that a person’s medical record exists
somewhere is not medical information as defined under the
CMIA.” (Id. at p. 436.)
CMIA prohibits health care providers and related entities
from disclosing medical information regarding a person without
authorization in certain specified instances (§ 56.10) and imposes
a duty on health care providers who create, maintain or dispose
of medical information to do so in a manner that preserves the
confidentiality of that information (§ 56.101, subd. (a)). Any
provider who negligently creates, maintains or disposes of
medical information is subject to the remedies and penalties
“provided under subdivisions (b) and (c) of Section 56.36”
(§ 56.101, subd. (a)), which include actual damages suffered by
the patient or nominal damages of $1,000 (§ 56.36,
subd. (b)(1), (2)).
The private cause of action to enforce the duty imposed by
section 56.101, subdivision (a), requires “pleading, and ultimately
proving, that the confidential nature of the plaintiff’s medical
information was breached as a result of the health care provider’s
negligence.” (Regents, supra, 220 Cal.App.4th at p. 570; accord,
Sutter Health, supra, 227 Cal.App.4th at p. 1555 [“without an
actual confidentiality breach, a health care provider has not
violated section 56.101 and therefore does not invoke the remedy
information that, alone or in combination with other publicly
available information, reveals the individual’s identity. ”
18
provided in section 56.36”].) That is, although a patient need not
plead and prove the health care provider engaged in some
affirmative conduct leading to an unauthorized third party’s
access to confidential medical information (Regents, at p. 565 &
fn. 12), more than loss of possession of records containing the
confidential medical information must be shown. (Sutter Health,
at p. 1557 [“[i]t is the medical information, not the physical
record (whether in electronic, paper, or other form), that is the
focus of [CMIA]”]; Regents, at p. 570 [“more than an allegation of
loss of possession by the health care provider is necessary to state
a cause of action for negligent maintenance or storage of
confidential medical information”].)
3. Plaintiffs Failed To Demonstrate Triable Issues of Fact
as to Whether Their Confidential Medical Information
Was Improperly Viewed or Otherwise Accessed
Acknowledging there is no direct evidence the
confidentiality of the stolen medical information had been
breached, plaintiffs argue on appeal it is a reasonable inference
from the circumstantial evidence they proffered in opposition to
the motion for summary judgment—the apparent targeting of the
eight computers, the thief’s decision not to steal other types of
equipment (other than two monitors), the far greater black
market value of the confidential data on the computers than the
value of the stolen hardware, the unencrypted nature of those
data, the relative ease with which they could be accessed, and at
least 10 incidents of identity theft close in time to the incident—
that the confidential medical information had been viewed or
otherwise accessed by the thief or other unauthorized individuals,
creating a triable issue of fact on that essential element of their
CMIA cause of action.
19
Sutherland and the County dispute the significance of this
inference, arguing it is only one of several possibilities and thus
insufficient to defeat summary judgment, quoting Leslie G. v.
Perry & Associates (1996) 

, 483 (Leslie G.),
which held, “Where, as here, the plaintiff seeks to prove an
essential element of her case by circumstantial evidence, she
cannot recover merely by showing that the inferences she draws
from those circumstances are consistent with her theory. Instead,
she must show that the inferences favorable to her are more
reasonable or probable than those against her.” It may have just
been a “smash and grab” burglary, Sutherland and the County
argue. Or it may have been a scheme of corporate sabotage
intended to persuade the County to move the lucrative contract
for patient billing and payment services to one of Sutherland’s
competitors based on Sutherland’s demonstrated lack of security.
And even if the computers were targeted, the motivation may
have been the personally identifiable information they contained,
such as social security numbers, rather than medical
information. Each of these alternate theories, Sutherland and
the County posit, are consistent with certain of the facts known
about the burglary.
Sutherland and the County’s assertion that it is the role of
the trial court on summary judgment—or this court when
conducting its de novo review—to determine which of several
reasonable but conflicting inferences is more probable directly
conflicts with Code of Civil Procedure section 437c,
subdivision (c), which provides, “[S]ummary judgment shall not
be granted by the court based on inferences reasonably deducible
from the evidence if contradicted by other inferences or evidence
that raise a triable issue as to any material fact.” Indeed, as
20
Justice Miriam Vogel, the author of Leslie G., explained in
rejecting an expansive interpretation of that decision several
years later in Hussey-Head v. World Savings & Loan Assn.,
supra, 111 Cal.App.4th at page 780, citing and quoting Saelzler v.
Advanced Group 400 (2001) 

, 767, all that is
necessary for a plaintiff opposing summary judgment is to “create
a reasonable inference” the defendant violated the statute at
issue, since, “to prevail by summary judgment, the moving party
must establish that ‘“under no hypothesis is there a material
issue of fact that requires the process of trial.”’” (Accord,
Savaikie v. Kaiser Foundation Hospitals (2020) 

, 229-230 [“‘[g]enerally, when conflicting inferences can be
reasonably drawn from the evidence, a triable issue of fact is
deemed to exist’”]; Pierson v. Helmerich & Payne Internat.
Drilling Co. (2016) 

, 627 [same].)
The deficiency in plaintiffs’ CMIA proof is not their failure
to create triable issues of fact concerning the motivation for the
burglary and the likelihood some of the stolen medical
information was viewed or otherwise accessed, but their lack of
evidence that plaintiffs’ confidential medical information was
compromised. The private cause of action for negligent release of
confidential medical information created by sections 56.36,
subdivision (b), and 56.101, subdivision (a), like the right of
privacy itself, “is purely a personal one.” (See Regents, supra,
220 Cal.App.4th at p. 563 & fn. 6.) A patient may sue for
statutory damages for a breach of confidentiality only if the
compromised information “concern[ed] him or her.” (§ 56.36,
subd. (b); see Regents, at p. 563 [“[a]t the very least, the
information potentially compromised as a result of the negligent
conduct must relate to the individual initiating the action”].)
21
Plaintiffs do not challenge the trial court’s ruling that no
confidential medical information concerning Galliano, Kamon or
English was stored on the stolen computers. Although they have
not made the same express concession regarding Harasim and
contest the trial court’s finding that she waived any
confidentiality because an aspect of her medical condition was
publicly visible—an issue we need not address—they have not
argued the trial court erred in its additional finding that there
were no CPT codes or other confidential medical information
concerning her on the stolen computers. As to these four
plaintiffs, then, the court’s order granting summary adjudication
of the CMIA cause of action must be affirmed.
What about Cazarin and Robinson, the remaining
two plaintiffs? As discussed, data on the stolen computers
included information (medical information, personally
identifiable information or both) for more than 340,000 patients
at county health care facilities. According to plaintiffs, after
eliminating duplications, there were approximately 460,000
unique documents stored on the eight computers. No single
document or discrete set of documents contained all relevant
patient information.
Even if plaintiffs’ circumstantial evidence supports the
reasonable inference that the confidentiality of some of those
patients’ medical information was breached following the theft,
there is no evidentiary basis—reasonable or otherwise—for
inferring that the confidential medical records of Cazarin or
Robinson were among them. As the trial court emphasized, none
of the approximately 10 incidents of identity theft or attempted
identity fraud arguably linked to the Sutherland burglary
involved either Cazarin or Robinson. While it is certainly true, as
22
plaintiffs contend, that being a victim of identity fraud is not an
element of a CMIA claim—the confidential medical information
need only be viewed or accessed, not used—evidence that one
type of confidential information had been accessed and used
would have supported an inference other aspects of that patient’s
stolen data had been viewed, as well. Plaintiffs identified
nothing else in the record that would permit a jury to find that
records specific to Cazarin or Robinson were among those opened
or actually viewed following the theft of the computers, assuming
any records were.
Ultimately, then, the argument that Cazarin’s and
Robinson’s CMIA claims survive summary judgment depends on
the contention the circumstantial evidence created a reasonable
inference, and thus a triable issue, not only that some of the
confidential medical information on the stolen computers was
viewed but that all of it was. As to this inference, too, there is no
evidentiary basis. To the contrary, defendants’ experts opined
that a criminal who intended to mine the stolen information for
sale would likely have employed an automated process that
targeted specific types of data and would limit any manual
review to spot checking to assist that process. The volume of
data and variety of attachments, they explained, would have
made it infeasible for anyone to manually view all the data even
if the contents of the hard drives were accessed.7 Plaintiffs did
7       On appeal plaintiffs contend the trial court’s “blanket”
overruling of all 123 of its objections to defendants’ evidence with
little or no explanation was an abuse of discretion. Citing
primarily Nazir v. United Airlines, Inc. (2009) 

, they assert such a ruling affords no meaningful basis for
review and could be treated as a failure to rule at all. They may
be correct. But if plaintiffs intended that we disregard on appeal
23
not dispute that overall assessment, contesting only the degree of
difficulty in viewing unencrypted data on a password protected
computer while essentially agreeing a manual review of all data
would be unnecessary to effect the data theft. Evidence that
suggests data might have been transferred through an
automated process from one set of computers to another without
some indication all the data were viewed, directly or indirectly,
falls short of creating a triable issue whether the confidentiality
of medical information personal to Carazin or Robinson was
breached.8
the evidence presented by defendants’ experts, it was their
burden to renew their objections and present arguments that
would support sustaining them. (See Reid v. Google, Inc. (2010)

, 534 [“presumptively overruled objections can still
be raised on appeal, with the burden on the objector to renew the
objections in the appellate court”].) Their opening brief entirely
fails to do that, and their reply brief is only minimally better.
Accordingly, we consider defendants’ expert reports to this
limited extent. (See People v. Tully (2012) 

, 1075;
Sweetwater Union High School Dist. v. Julian Union Elementary
School Dist. (2019) 

, 987.)
8     Plaintiffs in their reply brief emphasize that in Regents,
supra, 

, we referred to “viewed or otherwise
accessed,” not simply “viewed” and suggest, without elaboration,
the “accessed” standard is somehow broader than “viewed” and
that under this more expanded interpretation of CMIA Cazarin’s
and Robinson’s claims survive. Plaintiffs misapprehend the
import of that language. In Regents we rejected the argument a
private cause of action under Civil Code sections 56.36,
subdivision (b), and 56.101 requires pleading and proof of an
affirmative disclosure by the health care provider. In doing so, we
considered regulatory safeguards in the Health and Safety Code,
enacted some years after the CMIA provisions at issue in the case,
24
4. Plaintiffs Established Triable Issues of Fact Regarding
Actual Damages and Causation for Purposes of Their
Negligence Claim
To establish a prima facie case of negligence, a plaintiff
must prove the defendant owed a duty to the plaintiff, the
defendant breached that duty, and the defendant’s breach
proximately caused the plaintiff damage. (Lockheed Martin Corp.
v. Superior Court (2003) 

, 1106; Paz v. State of
California (2000) 

, 559.) In moving for summary
judgment Sutherland and the County did not challenge plaintiffs’
ability to prove duty or breach, arguing only that they lacked
evidence of causation and damage. (See Jimenez v. Superior
Court (2002) 

, 483 [“‘appreciable, nonspeculative,
present injury is an essential element of a tort cause of action’”].)
Effectively conflating those arguments, the trial court
ruled, although under certain circumstances the costs incurred
that expressly addressed “‘unlawful or unauthorized access to’”
confidential medical information, as well as its unauthorized “‘use
or disclosure.’” (See Regents, at p. 568.) The argument advanced
was that “negligently release[ ]” in Civil Code section 56.36,
subdivision (b), must mean more than permitting unauthorized
“access to” because the Legislature used that term in the new
regulatory protections when it meant it. Not so, we held. Nothing
in those newer statutes or their legislative history indicated the
Legislature in providing additional protections for confidential
medical information intended to modify or displace existing
private remedies for the negligent storage or disposal of such
information, which did not require affirmative disclosures.
(Regents, at p. 568) However, because the Legislature had used
“access” to refer to the concept we held encompassed by
“negligently released,” the statutory term at issue in Regents, we
did as well.
25
for credit monitoring services were recoverable as damages in a
data breach case (as it had concluded when overruling
Sutherland and the County’s demurrer to the negligence cause of
action), those costs did not qualify as actual damages here
because plaintiffs had failed to present evidence there was a
“‘logical and temporal connection between the decision to
purchase credit monitoring services and the defendant’s alleged
breach.’”
We agree credit monitoring costs and other economic losses
incurred to combat potential identity theft are recoverable as
damages if the remaining elements of a negligence claim arising
from the breach of confidentiality of medical or personally
identifiable information have been proved.9 The right to recover
the cost of periodic monitoring due to an increased risk of future
injury created by a defendant’s negligent conduct is well-
established in California tort law. In Potter v. Firestone Tire &
Rubber Co. (1993) 

, a case involving the illegal
dumping of toxic water materials, the Supreme Court held
expenditures for prospective medical testing and evaluation that
would be unnecessary absent wrongful exposure are “‘detriment
proximately caused’” by negligent disposal of toxic substances.
(Id. at p. 1005.) Accordingly, the Court held, “[T]he cost of
medical monitoring is a compensable item of damages where the
proofs demonstrate, through reliable medical expert testimony,
that the need for future monitoring is a reasonably certain
consequence of a plaintiff’s toxic exposure and that the
9    Although the stolen computers contained only Cazarin’s
and Robinson’s confidential medical information, all six plaintiffs’
personally identifiable information was among the data on the
computers.
26
recommended monitoring is reasonable.” (Id. at p. 1009;10
see Lockheed, supra, 29 Cal.4th at p. 1105 [“Potter simply
specified for the medical monitoring context the traditional
requirement that a plaintiff prove causation of damage. Thus,
while in Potter we ‘ma[de] it clear that the monitoring must be
“additional or different”’ than that previously required [citation],
we just as clearly stated that ‘if additional or different tests and
examinations are necessitated as a result of the toxic exposure
caused by the defendant, then the defendant bears full
responsibility for their costs’”].) It is an entirely appropriate
application of the principles underlying Potter’s holding that the
cost of prospective medical monitoring is cognizable injury in a
negligence action to impose responsibility for the cost of credit
monitoring services on defendants found liable for a data breach
if plaintiffs prove causation.
10     Expanding on its holding the Supreme Court stated, “In
determining the reasonableness and necessity of monitoring, the
following factors are relevant: (1) the significance and extent of
the plaintiff’s exposure to chemicals; (2) the toxicity of the
chemicals; (3) the relative increase in the chance of onset of
disease in the exposed plaintiff as a result of the exposure, when
compared to (a) the plaintiff’s chances of developing the disease
had he or she not been exposed, and (b) the chances of the
members of the public at large of developing the disease; (4) the
seriousness of the disease for which the plaintiff is at risk; and
(5) the clinical value of early detection and diagnosis. Under this
holding, it is for the trier of fact to decide, on the basis of
competent medical testimony, whether and to what extent the
particular plaintiff’s exposure to toxic chemicals in a given
situation justifies future periodic medical monitoring.” (Potter v.
Firestone Tire & Rubber Co., supra, 6 Cal.4th at p. 1009.)
27
As the district court explained in Huynh v. Quora, Inc.
(N.D.Cal. 2020) 

 in denying a motion for
summary judgment in a putative class action asserting claims
under California law for negligence and violation of the UCL
following a data breach,11 although “California courts have not
considered whether time and money lost to credit monitoring
from the future threat posed by compromised PII are damages to
support a negligence claim” (id. at p. 649), “courts confronting the
issue in this Circuit have extended the toxic tort exception to
data breach cases in which PII is compromised.” (Id. at p. 650.)
The Huyn court cited decisions from the Northern District,
Central District and Southern District of California before ruling,
“[T]his Court agrees with Plaintiff that the time and money she
spent on credit monitoring in response to the Data Breach is
cognizable harm to support her negligence claim.” (Ibid.; accord,
Schmitt v. SN Servicing Corp. (N.D.Cal., Aug. 9, 2021, No. 21-cv-
3355-WHO) 2021 U.S.Dist. Lexis 149252, *18 [“t]he money and
time plaintiffs spent on credit monitoring are both cognizable
forms of harm”]; see Lewert v. P.F. Chang’s China Bistro, Inc.
(7th Cir. 2016) 

, 967 [plaintiffs’ alleged injuries—
“the increased risk of fraudulent charges and identity theft they
face because their data has already been stolen”—“are concrete
enough to support a lawsuit”]; Galaria v. Nationwide Mutual Ins.
11    Like Sutherland and the County, the defendant in Huynh
v. Quora, Inc., supra, 

 moved for summary
judgment because “[p]laintiff has not suffered identity theft and
asserts that she has voluntarily attempted to repair any
hypothetical threat of future harm by temporarily purchasing
credit monitoring services and monitoring her accounts.” (Id. at
p. 649.)
28
Co. (6th Cir. 2016) 

, 388 [“[A]lthough it might
not be ‘literally certain’ that Plaintiffs’ data will be misused
[citation], there is a sufficiently substantial risk of harm that
incurring mitigation costs is reasonable. Where Plaintiffs
already know that they have lost control of their data, it would be
unreasonable to expect Plaintiffs to wait for actual misuse—a
fraudulent charge on a credit card, for example—before taking
steps to ensure their own personal and financial security,
particularly when Nationwide recommended taking these steps”];
but see Tsao v. Captiva MVP Restaurant Partners, LLC (11th Cir.
2021) 

, 1340, 1345 [explaining the Sixth, Seventh,
Ninth and D.C. Circuits have all recognized a plaintiff can
establish injury-in-fact based on the increased risk of identity
theft following a data theft, while the Second, Third, Fourth and
Eighth Circuits have declined to find standing on that theory,
and concluding in the case before it the plaintiffs’ mitigation costs
did not constitute actual injury: “Tsao cannot conjure standing
here by inflicting injuries on himself to avoid an insubstantial,
non-imminent risk of identity theft”].)
As for causation, a question of fact that generally cannot be
decided on summary judgment (see State Dept. of State Hospitals
v. Superior Court (2015) 

, 353; Shih v. Starbucks
Corp. (2020) 

, 1071), plaintiffs presented
expert testimony concerning the increased risk of identity theft
resulting from data theft and the steps breach victims should
take to avoid identity theft as a result of data theft, including
purchasing fraud protection programs and monitoring credit
bureaus. They also submitted evidence they had incurred costs
and suffered other forms of economic loss as a result of the data
theft, including credit monitoring expenses. Moreover, following
29
the theft of the computers, “because of the type of personal
information involved,” Sutherland “encourage[d]” all of the
County health care patients affected by the incident, including
plaintiffs, “to take steps to protect yourself from identity theft”
by, among other things, subscribing for a one-year credit
monitoring program it was providing, along with a $20,000
insurance reimbursement policy. This evidence was more than
sufficient to create a triable issue of fact concerning causation—
the temporal and logical relationship between Sutherland and
the County’s negligence and the actual damages allegedly
suffered by plaintiffs.12
5. The County Is Not Immune from a Negligence Claim
Predicated on Its Breach of Duty To Preserve the
Confidentiality of Medical Information
There is no common law tort liability for public entities in
California. “Under the Government Claims Act [citation],
governmental tort liability must be based on statute.” (B.H. v.
County of San Bernardino (2015) 

, 179 (B.H.);
see Gov. Code, § 815, subd. (a) [“[e]xcept as otherwise provided by
statute: [¶] . . . [a] public entity is not liable for an injury,
whether such injury arises out of an act or omission of the public
entity or a public employee or any other person”].) Government
Code section 815.6 provides one of the statutory exceptions to this
12     It will be the trial court’s responsibility to instruct the jury
concerning plaintiffs’ burden to prove the necessity for, and
reasonableness of, the mitigation measures for which they seek
recovery, translating into this context the five factors the
Supreme Court identified in Potter v. Firestone Tire &
Rubber Co., supra, 6 Cal.4th at page 1009 as relevant to the
determination whether future periodic medical monitoring was
justified. (See fn. 10.)
30
general rule of public entity immunity: “Where a public entity is
under a mandatory duty imposed by an enactment that is
designed to protect against the risk of a particular kind of injury,
the public entity is liable for an injury of that kind proximately
caused by its failure to discharge the duty unless the public
entity establishes that it exercised reasonable diligence to
discharge the duty.” (See Haggis v. City of Los Angeles (2000)

, 499-500 [“section 815.6 provides that the public
entity ‘is liable’ for an injury proximately caused by its negligent
failure to discharge the duty”].)
“Government Code section 815.6 has three elements that
must be satisfied to impose public entity liability: (1) a
mandatory duty was imposed on the public entity by an
enactment; (2) the enactment was designed to protect against the
particular kind of injury allegedly suffered; and (3) the breach of
the mandatory statutory duty proximately caused the injury.
Even when a duty exists, California has enacted specific
immunity statutes that, if applicable, prevail over liability
provisions.” (B.H., supra, 62 Cal.4th at p. 179.)
In the factual background portion of the operative pleading,
plaintiffs alleged under CMIA and the Health Insurance
Portability and Accountability Act of 1966 (HIPAA) the County
had a nondelegable and mandatory duty to take appropriate
measures to protect the confidentiality of the medical records of
patients treated at County facilities, which it violated in several
specific ways. In the second cause of action for negligence
plaintiffs incorporated those background allegations by reference
and expressly alleged the County (and Sutherland) breached
their duty of care to plaintiffs and members of the putative class
31
by failing to properly protect the medical records of the County’s
health care patients.
The trial court ruled those seemingly adequate allegations
of liability were insufficient to overcome the County’s immunity
because, to the extent based on CMIA, the negligence cause of
action was duplicative of the CMIA claim and, to the extent based
on Government Code section 815.6, plaintiffs had failed to allege
that statute in the operative pleading. Neither rationale
supports the court’s finding the County is immune.
As to the first ground, the two causes of action are not
identical. As discussed, to prove a violation of CMIA, plaintiffs
needed to establish not only that the County was negligent in its
creation, maintenance or storage of medical information, but also
that the confidentiality of that information had been breached.
In contrast, no proof of unauthorized access to the confidential
information is required for the cause of action based on the
County’s negligent breach of its mandatory duty to safeguard the
medical information of the patients it served. Conversely, no
actual damages need be proved in the CMIA cause of action;
statutory damages would be available if any of the plaintiffs
could prove a CMIA violation. Actual damages are an essential
element of the negligence claim.13
13    In supplemental responses to the County’s interrogatories
served more than two years before the trial court heard the
summary judgment motion, plaintiffs stated, subject to various
objections, that they and the class members were seeking
statutory damages available under CMIA without also
identifying actual damages they may have suffered. In its reply
memorandum in support of summary judgment, but not its
moving papers, the County argued plaintiffs had forfeited their
claim to credit monitoring services as damages. In granting
32
The trial court’s second ground for finding immunity was
based on a misapplication of the general principle that, to assert
liability under Government Code section 815.6 for breach of a
mandatory duty, the plaintiff “‘“must specifically allege the
applicable statute or regulation.”’” (Washington v. County of
Contra Costa (1995) 

, 896, quoting Brenneman
v. State of California (1989) 

, 817.) Although
it is somewhat unclear from the opinion in Cerna v. City of
Oakland (2008) 

, 1349-1350, the case the
trial court cited to support its ruling, the requirement is that the
plaintiff specifically identify the statute that created the
mandatory duty—here CMIA and HIPAA, which plaintiffs
expressly alleged—not that the pleading cite section 815.6.
(See, e.g., In re Groundwater Cases (2007) 

,
689 [“[a] plaintiff seeking to hold a public entity liable under
Government Code section 815.6 must specifically identify the
statute or regulation alleged to create a mandatory duty”]; Searcy
v. Hemet Unified School Dist. (1986) 

, 802
[“[s]ince the duty of a governmental agency can only be created
by statute or ‘enactment,’ the statute or ‘enactment’ claimed to
establish the duty must at the very least be identified”].)
Government Code section 815.6 is certainly “[t]he gateway to
recovery.” (Washington, at p. 896.) But it is not the statute that
creates the mandatory duty upon which plaintiffs seek recovery
summary adjudication in favor of Sutherland and the County on
the negligence cause of action, however, the trial court did not
adopt that argument, ruling those expenses were too speculative
to be recoverable as damages. We, likewise, do not consider this
claim for actual damages forfeited.
33
and need not be identified in the complaint in order to be
discussed when opposing a motion for summary judgment. 14
In its brief in this court the County adds a third argument,
contending, even if the CMIA and negligence causes of action are
not duplicative and plaintiffs adequately pleaded CMIA as the
statutory basis for the mandatory duty it breached, they are still
asserting a common law tort claim (albeit one effectively for
negligence per se), barred by governmental immunity, not a
statutory claim authorized by Government Code section 815.6.
Yet as the County recognizes elsewhere in its brief, this court
upheld just such a cause of action for negligence against a public
entity based on the doctrine of negligence per se in Alejo v. City of
Alhambra (1999) 

, 1184, disapproved on
another ground in B.H., supra, 62 Cal.4th at page 188, footnote 6.
(See Lehto v. City of Oxnard (1985) 

, 292
[“Government Code section 815.6 applies to public entities the
familiar rule of tort law that violation of a legislatively prescribed
standard of care creates a rebuttable presumption of
negligence”].) In sum, the trial court erred in granting the
County’s motion for summary adjudication as to plaintiffs’
negligence cause of action based on governmental immunity.
14    The court in Cochran v. Herzog Engraving Co. (1984)

, which the County cites in support of its
contention the absence of a citation to Government Code
section 815.6 in the operative pleading dooms plaintiffs’ claim,
noted that, “[t]o state a cause of action against a public entity,
every fact material to the existence of its statutory liability must
be pleaded with particularity.” (Cochran, at p. 414, fn. 2.)
Plaintiffs have done just that—pleading all facts material to their
negligence claim.
34
6. On Remand Plaintiffs Should Have the Opportunity To
Renew Their Motion for Leave To Amend
We review the denial of a motion for leave to amend a
complaint for abuse of discretion. (Branick v. Downey Savings &
Loan Assn. (2006) 

, 242 [leave to amend a
complaint is entrusted to the sound discretion of the trial court];
Foroudi v. The Aerospace Corp. (2020) 

, 1000;
Bettencourt v. Hennessy Industries, Inc. (2012) 

, 1111.) Although “[a] trial court has wide discretion to allow
the amendment of pleadings, and generally courts will liberally
allow amendments at any stage of the proceeding” (Falcon v.
Long Beach Genetics, Inc. (2014) 

, 1280),
unreasonable delay alone can justify denial of a motion for leave
to amend. (Huff v. Wilkins (2006) 

, 765
[“‘“even if a good amendment is proposed in proper form,
unwarranted delay in presenting it may—of itself—be a valid
reason for denial”’”]; see P&D Consultants, Inc. v. City of
Carlsbad (2010) 

, 1345; Record v. Reason
(1999) 

, 486-487; see also Green v. Rancho
Santa Margarita Mortgage Co. (1994) 

, 692
[“[t]here is a platoon of authority to the effect that a long
unexcused delay is sufficient to uphold a trial judge’s decision to
deny the opportunity to amend pleadings, particularly where the
new amendment would interject a new issue which requires
further discovery”].)
Here, the trial court denied plaintiffs’ motion based on both
delay, finding that the newly discovered information should have
been known much earlier notwithstanding plaintiffs’ argument to
the contrary, and prejudice, due to the pendency of Sutherland
and the County’s summary judgment motion and the impact of
35
an amendment on the timing for that motion, as well as the
court’s case management plan. It would be difficult to conclude
that ruling was an abuse of discretion: “[W]hen a plaintiff seeks
leave to amend his or her complaint only after the defendant has
mounted a summary judgment motion directed at the allegations
of the unamended complaint, even though the plaintiff has been
aware of the facts upon which the amendment is based, ‘[i]t
would be patently unfair to allow plaintiffs to defeat [the]
summary judgment motion by allowing them to present a
“moving target” unbounded by the pleadings.’” (Falcon v. Long
Beach Genetics, Inc., supra, 224 Cal.App.4th at p. 1280; accord,
Melican v. Regents of University of California (2007)

, 176.)
The circumstances on remand will be far different from
those existing when the court considered plaintiffs’ motion: The
summary judgment motion has been resolved; the CMIA cause of
action dismissed; and the nature of the damages at issue in the
remaining negligence claim defined and limited. Whatever
remained from the court’s original case management plan will
need to be revised. Accordingly, to the extent plaintiffs continue
to believe they have viable claims for breach of contract or
violation of the UCL, they should be permitted to renew their
motion for leave to amend. The trial court, of course, retains its
discretion to grant or deny any such motion in light of the current
procedural posture of the case.
7. The Order Denying in Part the Motion To Seal Portions
of the Trial Court’s December 19, 2018 Ruling Must Be
Revised
We agree with the trial court’s general observation that the
considerations under California Rules of Court, rule 2.550(d) in
36
deciding whether to seal papers filed by the parties are not
identical to those involved in determining whether to redact
previously sealed material when referred to in a court order.
Nonetheless, “medical records are constitutionally private and
statutorily confidential.” (Oiye v. Fox (2012) 

, 1070.) A person’s medical history “‘falls within the zone of
informational privacy protected’ by the state and federal
Constitutions.” (Id. at p. 1068.) Accordingly, great care should
be taken before disclosing in a court ruling previously sealed
medical information concerning identifiable parties.
With respect to Galliano, English and Kamon, the trial
court ruled there was no confidential medical information
concerning them on the stolen computers. Accordingly, there was
no reason to describe their medical conditions in the ruling. As to
Harasim, although the court also found no confidential medical
information pertaining to her was contained on the stolen
computers, it additionally ruled Harasim had publicly disclosed
enough information about her medical condition to preclude a
CMIA claim. Making the minimal redactions (less than a dozen
words) requested on page 6 of the ruling would not interfere with
a reader’s ability to understand the court’s analysis of this point
as to Harasim. Similarly, the explanation that Carazin’s medical
condition was visible to others and, therefore, not confidential,
need not include a description of that condition. As for the court’s
concern it ought not redact information it had found was not
confidential, pending a decision in this court affirming the trial
court’s ruling, Harasim and Carazin were entitled to have the
information treated as confidential. And since we do not find it
necessary to decide the issue, they remain entitled to that degree
of privacy protection.
37
We agree with the trial court that the information plaintiffs
requested be redacted on pages other than five and six of the
ruling do not relate to medical information and properly remain
part of the publicly filed ruling.
DISPOSITION
The judgment is reversed. On remand the trial court is to
enter a new order granting the motion for summary adjudication
as to the CMIA cause of action and denying the motion as to the
negligence cause of action. The trial court is further ordered to
seal the portions of its December 19, 2018 ruling that contain
specific medical or health-related information concerning any of
the plaintiffs.
The parties are to bear their own costs on appeal.
PERLUSS, P. J.
We concur:
SEGAL, J.
FEUER, J.
38