California’s “Actually Viewed” Defense Just Died in Data Breach Cases

If your company handles other people’s sensitive data through a software vendor, two questions are now urgent. First, can you still rely on the longstanding California defense that says no liability attaches unless an unauthorized party actually viewed the data? And second, when a vendor sits between you and the end users whose information was exposed, who exactly has the right to sue whom?

The California Supreme Court answered both questions in J.M. v. Illuminate Education, Inc., a unanimous opinion authored by Justice Liu and issued on May 14, 2026, with a separate concurrence by Justice Groban. The headline holdings reshape how data breach claims are pleaded in California under the Confidentiality of Medical Information Act, and they redraw the boundary of who counts as a “customer” with standing under the Customer Records Act. For technology vendors, school districts, healthcare-adjacent platforms, and any business that processes personal information through a third-party service, the practical implications are immediate.

The Setup

Illuminate Education provides software services to school districts across the country. Among other things, its platform stores data on individual students, including medical information that districts use for educational planning and intervention. The Ventura County Office of Education contracts with Illuminate to support the district where the plaintiff, identified only as J.M., was a student.

In early 2022, Illuminate experienced a data breach. Its investigation eventually confirmed that databases containing protected student information had been subject to unauthorized access over a roughly twelve-day window in late December 2021 and early January 2022. Illuminate notified the Ventura County Office of Education about twelve days after confirming the breach. Notice to affected families, including J.M.’s guardians, didn’t go out until June 10, 2022, roughly five months after Illuminate first detected the suspicious activity. J.M., through his guardian, sued on behalf of a putative class for violations of the Confidentiality of Medical Information Act and the Customer Records Act.

The trial court dismissed the case at the demurrer stage. The Court of Appeal reversed. The Supreme Court granted review and, on May 14, issued an opinion that splits the difference, but in ways that significantly change the landscape for both sides of these disputes.

The Big Move: “Actually Viewed” Is Dead

For more than a decade, California’s Court of Appeal had held that a plaintiff suing under the Confidentiality of Medical Information Act couldn’t state a claim unless the plaintiff alleged that the breached information was actually viewed by an unauthorized party. The rule originated in Regents of the University of California v. Superior Court in 2013 and was reinforced by Sutter Health v. Superior Court in 2014 and Vigil v. Muir Medical Group IPA, Inc. in 2022. Defendants relied on this rule routinely. If the laptop was stolen but never accessed, no claim. If the hard drive was lost but the data was encrypted and the thief was probably after the hardware, no claim. The “actually viewed” requirement was, for years, one of the most defendant-friendly features of California data breach law.

The Supreme Court has now disapproved all three of those opinions to the extent they’re inconsistent with the new standard. In place of “actually viewed,” the Court adopted what it described as the primary inquiry going forward: whether the information was exposed to a significant risk of unauthorized access or use.

The Court’s reasoning is grounded in the statutory text. Civil Code section 56.101 requires covered entities to preserve the confidentiality of medical information. Civil Code section 56.36, in turn, authorizes a civil action and even provides for nominal damages of $1,000 without any requirement that the plaintiff suffered or was threatened with actual damages. The Court concluded that a regime that conditions liability on proof of actual viewing is hard to square with a statute that authorizes recovery without proof of actual harm.

The Court also flagged a practical concern that resonates with anyone who handles modern privacy litigation. Victims of data breaches rarely know what happened to their data unless they suffer downstream harm. And as the Court explicitly noted, breaches may now be facilitated by artificial intelligence or automated cybercrime in ways that never involve a human actually viewing the information. An “actually viewed” rule fits an earlier era of data theft. It doesn’t fit how breaches happen in 2026.

Importantly, the Court was careful to clarify that mere loss of possession isn’t always enough. The “significant risk” standard is meant to do real work. Smash-and-grab thefts of hardware where the thief was after the device, not the data, may fall short. Encrypted data with no realistic path to access may fall short. The analysis is fact-intensive and considers the form, duration, and extent of the breach, as well as any mitigation by the covered entity. Justice Groban’s concurrence pushed this point further, emphasizing that the new standard demands a realistic and appreciable risk, not mere theoretical exposure, and that any “significant risk” must be grounded in facts showing unauthorized access or use is reasonably likely under the circumstances.

The Other Move: Who Is a “Provider of Health Care”

The plaintiff still lost the case. The Court held that J.M. hadn’t adequately alleged that Illuminate is a “provider of health care” within the meaning of Civil Code section 56.06, which is a threshold requirement for any claim under the relevant sections of the Confidentiality of Medical Information Act.

The reasoning is worth understanding because it draws a line that many software vendors will want to study. Section 56.06 reaches businesses that maintain medical information in order to make that information available to individuals or to health care providers, for the purpose of allowing the individual to manage their own information or for diagnosis and treatment. The Court found that J.M.’s complaint alleged that Illuminate makes its data available to educators, students, and parents to support educational evaluation and planning, not for individual medical management or for diagnosis and treatment by a health care provider. The Legislature, the Court explained, had specific business models in mind when it extended the statute beyond traditional medical providers, including personal health record services and consumer-facing health applications. A business-to-business educational software platform, even one that stores medical information, doesn’t automatically fall within those categories.

Justice Groban’s concurrence went further on this point. He argued that J.M. had also failed to allege that maintaining medical information is integral to Illuminate’s business purpose in the first place, and that he would have affirmed the trial court’s denial of leave to amend, on the view that the defects in the complaint can’t be cured. The majority left that determination to the lower courts on remand.

For technology companies, the holding cuts two ways. The expanded liability standard means that covered entities now face data breach exposure on substantially easier pleading terms than before. But the statutory definition of who counts as a covered entity remains limited, and businesses that process medical information purely as part of a downstream service to a business customer, rather than as a service to individual end users, may not be covered at all.

The Customer Records Act Holding

The Court also held that J.M. couldn’t sue under the Customer Records Act because he wasn’t Illuminate’s “customer” within the meaning of that statute. The Customer Records Act authorizes a civil action by an injured “customer,” which it defines as an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from that business.

The Ventura County Office of Education purchased Illuminate’s services. J.M. didn’t. The Court of Appeal had reasoned that J.M. and other students were the ultimate beneficiaries of Illuminate’s services and should be treated as customers for purposes of the statute. The Supreme Court rejected that reasoning. The Customer Records Act defines “customer” narrowly and uses that term, rather than the broader “consumer” or “individual,” when authorizing a private right of action. The Legislature’s choice is treated as deliberate.

This is a meaningful clarification for any business that operates on a business-to-business model where the end users of the service never directly transact with the vendor. The Customer Records Act may not give those end users a path to sue the vendor directly, even when the vendor experiences the breach.

What This Means in Practice

A handful of takeaways worth flagging for in-house counsel, technology executives, and anyone with vendor risk on their balance sheet.

The “actually viewed” defense is gone for any covered entity. Vendor and service agreements that allocated risk on the assumption that this defense was available need to be re-papered. Incident response playbooks that assumed a breach without confirmed access would be defensible need to be revisited.

The statutory definition of “provider of health care” still does work. Tech vendors processing medical information in a purely business-to-business context, without making the information available to individuals for personal management or to providers for diagnosis and treatment, may have a strong argument that they aren’t covered. That argument has to be made carefully and is fact-dependent.

End users may have fewer direct paths to sue a business-to-business vendor under the Customer Records Act than the Court of Appeal had suggested. But other statutory regimes, including the California Consumer Privacy Act, remain available and contain their own enforcement mechanisms.

The Court’s specific reference to artificial intelligence as a mechanism by which breaches can occur without human viewing isn’t a holding, but it signals that California courts are thinking about how privacy statutes apply to modern data exposure scenarios. Businesses building AI products, or businesses whose data may be ingested by AI systems, should treat this as one more reason to take a fresh look at their data governance.

Bottom Line

J.M. v. Illuminate Education, Inc. is the kind of decision that will be litigated around for years. Plaintiffs’ counsel will lean on the new “significant risk” standard. Defense counsel will lean on the narrow statutory definitions that still limit who is covered in the first place. The shape of California data breach litigation just changed, and the right time to think about what that means for your business is now, not after the next incident.

If your business processes personal or medical data through third-party vendors, or if you’re the vendor sitting on that data, this decision changes the calculus on incident response, contract allocation, and litigation exposure. Reach out to Horst Legal Counsel to talk through how this affects your operation.