By Swigart Law Group, APC — Digital Privacy and Consumer Protection
On May 14, 2026, the California Supreme Court decided J.M. v. Illuminate Education, Inc. (S286699), a landmark ruling on medical data breaches under the Confidentiality of Medical Information Act (CMIA). Below, we answer the questions California consumers are asking about the decision, data breach notifications, and hidden tracking on medical websites.
What did the California Supreme Court decide in J.M. v. Illuminate Education?
The Court held that a person suing over a medical data breach does not have to prove that a hacker actually viewed their medical records. Instead, a company violates the CMIA when its negligence exposes your medical information to a “significant risk of unauthorized access or use.” The Court disapproved three older appellate decisions — Regents, Sutter Health, and Vigil — that companies had used for over a decade to defeat data breach claims. The Court also held that the plaintiff, a student whose data was exposed in a 2022 breach of education-technology company Illuminate Education, had not (yet) adequately alleged that Illuminate qualified as a “provider of health care” under the CMIA or that he was Illuminate’s “customer” under the Customer Records Act.
Why is this ruling a big deal for California consumers?
Because the old “actually viewed” rule made most data breach cases nearly impossible to win. Breach victims almost never know what a hacker did with their stolen data — all of that evidence sits with the company that was breached. The Supreme Court recognized this, and it recognized something else important: in the age of automated cybercrime and artificial intelligence, stolen medical data can be exploited without any human being ever “viewing” it. The new “significant risk” standard focuses on the company’s negligent conduct, not on an impossible proof burden for victims.
How much can I recover under the CMIA for a medical data breach?
The CMIA allows recovery of $1,000 in nominal damages per violation without proving you suffered any actual harm, plus actual damages if you did suffer harm (such as identity theft or fraud). In a class action covering thousands of affected patients or consumers, these statutory damages add up quickly — which is why the CMIA is one of the most powerful medical privacy laws in the country.
Does the CMIA apply to every company that stores my medical information?
No — and this is the caution in the Illuminate decision. The CMIA applies to “providers of health care,” which includes doctors and hospitals, but also businesses that maintain medical information in order to make it available to you or your health care providers for managing your records or for diagnosis and treatment. The Court found the student’s complaint described an education company, not a health care provider. Whether a tech company, app, or website is covered is a fact-intensive question about how it collects, uses, and shares your medical information — exactly the kind of analysis an experienced privacy attorney should do for you.
How long does a company have to notify me of a data breach in California?
California law requires notification “in the most expedient time possible and without unreasonable delay.” In the Illuminate case, the company detected suspicious activity in January 2022 but did not notify families until June 2022 — roughly five months later. A delayed notice deprives you of the chance to freeze your credit and protect yourself, and the delay itself can be evidence supporting legal claims.
What should I do if I receive a data breach notification letter?
Do not ignore it or throw it away. Take these steps:
• Keep the notice, the envelope, and note the date you received it — it identifies what data was exposed and proves when you were told.
• Compare the breach date to the notification date. Months of delay matter.
• Freeze your credit for free at Equifax, Experian, and TransUnion. Parents can freeze a minor child’s credit file — critical, because child identity theft often goes undetected for years.
• Watch for warning signs: junk mail or calls at contact information you gave only one company, phantom accounts, unfamiliar charges, or targeted solicitations.
• Don’t take “no evidence of misuse” at face value. Under the Supreme Court’s new standard, the question is whether your information was exposed to a significant risk of unauthorized access or use — not whether the company found proof of misuse.
• Contact a privacy attorney promptly. Statutes of limitation apply, and the key evidence is in the company’s hands.
Can medical websites share my information with Facebook?
Not without your written authorization if the information is covered by the CMIA — yet our firm’s investigations have found that many hospital systems, telehealth platforms, patient portals, and health information websites embed the Meta (Facebook) Pixel and similar advertising trackers in their web pages. When you search a condition, book an appointment, or log into a patient portal, these trackers can quietly transmit that activity to Facebook, tied to identifying cookies on your device — even if you don’t have a Facebook account. Depending on the platform and the information shared, this conduct can violate the CMIA and California’s Invasion of Privacy Act (CIPA), which prohibits wiretapping and eavesdropping on confidential communications.
How do I know if a health website is sharing my data with Facebook?
Watch for these warning signs:
• You start seeing ads on Facebook, Instagram, or elsewhere for a medical condition, medication, or treatment shortly after researching it or visiting a provider’s website.
• You receive targeted solicitations about a health issue you have only discussed with a medical provider or entered into a health website.
• The website’s privacy policy discloses sharing data with “advertising partners,” “analytics providers,” or Meta/Facebook.
Who can help me evaluate a medical data breach or privacy claim?
Swigart Law Group, APC is a California consumer protection firm dedicated to digital privacy. We litigate data breach, medical privacy, and internet tracking cases throughout the state, and we are closely following how courts apply the Illuminate decision’s new “significant risk” standard. We take your privacy seriously. If you received a data breach notification, suspect your medical information was exposed, or believe a health website shared your private information with Facebook or other third parties, contact us for a free, confidential evaluation. Call (866) 219-3343 or visit www.swigartlawgroup.com.
This post is attorney advertising and is provided for general informational purposes; it is not legal advice and does not create an attorney-client relationship.
