Opinion
B297712
12-06-2021
A. DOE et al., Plaintiffs and Appellants, v. SUTHERLAND HEALTHCARE SOLUTIONS, INC. et al., Defendants and Respondents.
Nelson & Fraenkel, Gretchen M. Nelson, Gabriel S. Barenfeld; Kabateck, Brian Kabateck, Anastasia K. Mazzella; Genie Harrison Law Firm, Genie Harrison; Righetti Glugoski, Matthew Righetti; Law Offices of Kevin T. Barnes and Gregg Lander for Plaintiffs and Appellants. Baker & Hostetler, Teresa C. Chow, Matthew C. Baisley, Paul Karlsgodt and Casie Collignon for Defendant and Respondent Sutherland Healthcare Solutions, Inc. Jones Day, Daniel J. McLoon, David J. Feder; Office of the Los Angeles County Counsel, Brian T. Chu and Brandi M. Moore for Defendant and Respondent County of Los Angeles.
NOT TO BE PUBLISHED
APPEAL from a judgment of the Superior Court of Los Angeles County, Nos. BC539436, BC539844, BC542556 Ann I. Jones, Judge. Reversed and remanded with directions.
Nelson & Fraenkel, Gretchen M. Nelson, Gabriel S. Barenfeld; Kabateck, Brian Kabateck, Anastasia K. Mazzella; Genie Harrison Law Firm, Genie Harrison; Righetti Glugoski, Matthew Righetti; Law Offices of Kevin T. Barnes and Gregg Lander for Plaintiffs and Appellants. 1
Baker & Hostetler, Teresa C. Chow, Matthew C. Baisley, Paul Karlsgodt and Casie Collignon for Defendant and Respondent Sutherland Healthcare Solutions, Inc.
Jones Day, Daniel J. McLoon, David J. Feder; Office of the Los Angeles County Counsel, Brian T. Chu and Brandi M. Moore for Defendant and Respondent County of Los Angeles.
PERLUSS, P. J.
Following the theft of eight computers from an office of Sutherland Healthcare Solutions, Inc., a company that provides billing and payment processing services to hospitals including those operated by the County of Los Angeles, six affected individuals sued Sutherland and the County for violations of the Confidentiality of Medical Information Act (CMIA) (Civ. Code, § 56 et seq.) and negligence in a putative class action lawsuit, alleging their confidential medical and personally identifiable information had been compromised. Their complaint sought statutory damages for the CMIA violation, as provided in sections 56.36, subdivision (b), and 56.101, subdivision (a), and, as actual damages for negligence, the value of the lost information and the cost of credit monitoring services and enhanced security measures undertaken by certain plaintiffs.
Statutory references are to this code unless otherwise stated.
The trial court granted Sutherland and the County's motion for summary judgment, ruling as to the CMIA claim that plaintiffs' circumstantial evidence was insufficient to create a triable issue that the confidential nature of the plaintiffs' medical information had been breached by an unauthorized individual, as required by the Third District's decision in 2 Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 1555 (Sutter Health) and this court's decision in Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, 570 (Regents), and as to the negligence cause of action that plaintiffs had not presented evidence they had suffered actual damages or that potentially cognizable damages had been caused by the theft of the computers. The court also ruled that plaintiffs had failed to properly allege the County had violated a mandatory duty imposed by statute and that the County was immune from liability for common law negligence.
We reverse the judgment, affirming the order of summary adjudication as to the CMIA cause of action but reversing as to the negligence claim. On remand plaintiffs may renew their motion for leave to amend the complaint, which was denied by the trial court while the summary judgment motion was pending.
FACTUAL AND PROCEDURAL BACKGROUND
1. The Theft of Sutherland Computers Containing Confidential Information
a. Sutherland's data handling practice
For Sutherland to perform its billing and payment processing services, the County electronically transmitted patient data to Sutherland, which stored the information on a secure shared drive. Sutherland employees who worked with the data emailed documents, including spreadsheets, containing the personal health and personally identifiable information of individuals treated at county facilities. The computers at Sutherland's Torrance office were configured to save a cache of all emails sent and received by the computer user. As a result, every hard drive had a file containing all emails and attachments sent 3 and received at that computer. Some employees also stored documents on their computers' hard drive.
The network server at Sutherland's Torrance office was encrypted. Access to individual computers required a username and password, but information stored on those computers was not encrypted. Although the degree of difficulty was debated by the parties' experts, it was undisputed that it was feasible for someone with the proper skillset to access the data on the password-protected computers.
b. The burglary
In the evening of February 5, 2014 someone entered Sutherland's Torrance office and stole eight desktop computers. The stolen computers were among nearly 80 in the office and were spread throughout the 9, 000 square foot facility. Six of the stolen computers were used by higher-level employees. Several of the individuals whose computers were taken admitted at deposition that they kept their passwords in a folder on their hard drives and had downloaded patient medical records and personally identifiable information onto their hard drives.
The hard drives in the eight stolen desktop computers contained files that included medical information or personally identifiable information for more than 340, 000 patients at county health care facilities. Following the theft Sutherland sent notification letters to more than 300, 000 patients. Law 4 enforcement (the Torrance Police Department, the Los Angeles Police Department, the FBI and the Secret Service) investigated the theft and identified several suspects, but no arrests were made or charges filed. The stolen computers have not been recovered.
The notice advised the stolen computers "contained personal information including your first and last name, Social Security number, and billing information. In addition, the stolen computers may have included your date of birth, address, diagnoses and other medical information." "Because of the type of personal information involved," the notice continued, "we encourage you to take steps to protect yourself from identity theft. We are offering credit monitoring services [that] will include: 12 months of credit monitoring, a $20,000 insurance reimbursement policy, Healthcare Identity Protection Toolkit', exclusive educational materials and access to fraud resolution representatives."
2. The Lawsuits
The first class action lawsuit arising from the February 5, 2014 burglary was filed against Sutherland in March 2014. On September 25, 2014 three lawsuits were consolidated, and, pursuant to stipulation, on October 31, 2014 a consolidated amended class action complaint was filed by Mario Cazarin, John Galliano, Tanikka Harasim, Oswald Robinson, Tu Kamon and Damon English against Sutherland and the County, asserting causes of action for violation of CMIA, negligence and violations of section 1798.81.5, failure to provide reasonable security procedures and practices with respect to California residents' personal information, and section 1798.82, failure to provide notice regarding a breach of security regarding California residents' personal information. Each of the six plaintiffs had received Sutherland's notice of the computer thefts.
Following a partially successful demurrer, plaintiffs on May 11, 2015 filed the operative consolidated second amended class action complaint, alleging causes of action for violation of CMIA and negligence against both Sutherland and the County 5 and violation of section 1798.82 against Sutherland. Plaintiffs sought actual damages and/or statutory damages for violation of CMIA and actual damages for the failure to protect their medical and personally identifiable information in the other two causes of action.
After another pleading challenge, the court sustained the demurrer to the cause of action under section 1798.82 with leave to amend and overruled the demurrer to the CMIA and negligence claims. Plaintiffs did not amend further, and the section 1798.82 cause of action is not at issue in this appeal. Sutherland and the County answered the complaint on October 28, 2015.
The court sustained the demurrer as to all of English's causes of action against the County based on his failure to file a timely prelawsuit claim under the Government Claims Act.
3. The Motion for Leave To Amend
In September 2017, approximately five months after Sutherland and the County moved for summary judgment, plaintiffs sought leave to amend their complaint to add claims against Sutherland for breach of contract (as third party beneficiaries) and for violation of the unfair competition law (UCL) (Bus. & Prof Code, § 17200 et seq.). In support of their request plaintiffs argued the new causes of action related to the same general facts alleged in the operative complaint but added allegations based on evidence obtained from documents recently produced by the County and Sutherland, specifically the contracts between the County and Sutherland and documents "evidencing the County's promises to Plaintiffs and Class members related to the confidentiality of collected patient 6 information which, in large part, form the basis for the additional causes of action against Sutherland in the Proposed Third Amended Complaint."
Sutherland and the County opposed the motion, arguing plaintiffs had unreasonably delayed in seeking leave to amend, they would be severely prejudiced if amendment were allowed, and the proposed amendments were futile. The trial court denied the motion in a three-page ruling on October 4, 2017, finding the additional discovery plaintiffs stated had alerted them to the existence of their new claims "was substantially available-either as part of the public record or as part of the documents produced to plaintiffs in 2015-over a year and a half ago."
The court ruled delay without a valid showing of excuse was a significant factor in considering a motion for leave to amend and could be a sufficient reason without more to deny the motion. In addition, the court found amendment at that point in the case would significantly prejudice defendants. The court pointed out that a motion for summary judgment had been filed by defendants and significant discovery had taken place, including "a considerable amount of discovery [by plaintiffs] in order to oppose that motion." Permitting the amendment would likely lead to another demurrer and then a new motion for summary judgment, preceded by additional discovery. "Such a delay is not only unjustified but would reopen much of the concluded discovery and significantly impair the case management plan that has been structured by this court for over two years. While there is no trial date set, the potentially dispositive motions are set for early next year. Additional causes of action would preclude [that] hearing . . . from going forward in a timely fashion." 7
Finally, without definitively deciding the issue, the court indicated skepticism about the merits of at least the contract claim in light of express language in the pertinent agreements excluding third party beneficiaries.
4. The Motion for Summary Judgment or, Alternatively, Summary Adjudication
In April 2017 Sutherland and the County moved for summary judgment and in January 2018 filed an amended motion. On the CMIA claim, defendants asserted as to four of the six plaintiffs there was no medical information contained in the data that might be accessed from the stolen computers, and as to two of the plaintiffs the stored medical information was not private or confidential because their conditions were publicly observable. Most significantly, contending it was inherently speculative to conclude the motivation for the computer theft was to mine and sell the data the computers may have contained, Sutherland and the County argued plaintiffs could not prove confidential medical information on the stolen computers had been viewed by any unauthorized person, as required by Sutter Health, supra, 227 Cal.App.4th 1546 and Regents, supra, 220 Cal.App.4th 549 to establish a CMIA claim for the negligent release of confidential information.
Emphasizing there was no direct evidence that stolen medical information had been accessed, Sutherland and the County argued the circumstantial evidence proffered by plaintiffs (evidence indicating the probable motivation for the burglary was to steal medical information and one of the named plaintiffs and others affected by the burglary had reported attempts at identity theft after the incident), while arguably sufficient to survive a demurrer, as the trial court had held, was insufficient to create a 8 triable issue of fact on summary judgment. In support Sutherland and the County submitted a report from Dr. Marcus K. Rogers, an expert in investigating cybercrimes, stating, as the lower boundary of the true total, an estimated 7 percent of the United States population 16 years or older is a victim of identity theft. Using that estimate, 23, 709 of the 338, 700 patients whose information was contained on the stolen computers were likely to have been victims of identity theft unrelated to the Sutherland computer theft. Yet, according to Sutherland and the County's expert, there were only eight reported separate instances of attempted fraud by persons whose data were contained on the stolen Sutherland systems. The Sutherland and County expert also opined that, if someone were to become a victim of financial fraud or identity theft through the use of information taken from the computer systems, it would be completely coincidental that medical information pertaining to a particular individual was viewed, and it would depend on the proximity of one person's information to another person's information in a particular file.
A second defense expert, Dr. Thomas Holt, opined that, even if cyber criminals had obtained the data stored on the stolen computers, the format of the medical information contained in the local files and the lack of value that cyberhackers attach to medical information made it unlikely that unauthorized persons would have viewed, mined, obtained or sold the medical information. Rather, the personally identifiable information that was also contained in the local files was far more valuable and far less time-consuming to mine than the medical information.
As for the negligence claim, Sutherland and the County did not dispute the allegation Sutherland had failed to act reasonably 9 to protect confidential medical information or personally identifiable information stored on the stolen desk top computers, but argued none of the plaintiffs could prove cognizable damages: "Either they claim no concrete losses at all, or they claim losses that the law does not recognize as damages." Only one of the plaintiffs alleged a specific loss of money (something less than $60 attributed to an unrecognized credit card charge in 2015), and he was unable to provide any information that would tie it to the Sutherland theft. Expenses for credit monitoring services to mitigate a risk of future harm, Sutherland and the County argued, were insufficient to qualify as cognizable injury in a negligence claim; and personal time spent reviewing information related to the theft did not constitute actual harm. In addition, they contended, given the prevalence of identity theft resulting from the many recent large scale data breaches that had occurred throughout the country, plaintiffs could not prove actual causation between the several instances of attempted fraud or identity theft reported by individuals whose information was on the stolen computers (only one of which involved a named plaintiff) and the Sutherland burglary.
Finally, the County argued there is no common law governmental tort liability in California. As such, the County asserted, it is immune from liability for common law negligence.
5. Plaintiffs' Opposition and Defendants' Reply
In their opposition papers plaintiffs argued the stolen data contained confidential medical information as to all six of them. As to the four described by defendants as without medical information in the stolen computers, plaintiffs argued each had "CPT" (current procedural terminology) codes in his or her data, alphanumerics assigned to every task and service a medical 10 practitioner may provide a patient, which are used by insurers to determine reimbursement amounts. A CPT code can be entered into an internet search engine to determine the procedure and/or diagnosis and thus constitutes medical information within the meaning of CMIA, they argued. As to the other two plaintiffs, plaintiffs disputed the extent to which they openly discussed their medical conditions and argued the visibility of a condition alone is insufficient to constitute a waiver of confidentiality of all medical information about the condition.
As to Sutherland and the County's primary argument that plaintiffs could not establish a CMIA violation, plaintiffs insisted it was a reasonable inference from the circumstantial evidence that the stolen data had been improperly viewed or otherwise accessed by unauthorized individuals. First, plaintiffs argued it was a reasonable inference (not mere speculation) the computers had been stolen because of the value on the black market of the data they contained. Plaintiffs provided evidence the estimated value of the individual computers was between $300 and $500. (The Torrance Police Department estimated the total value of the stolen hardware, which included two monitors in addition to the eight computers, at $4,104.) The medical information and personally identifiable information were valued at between $10 and $500 per individual patient on the black market. In 11 addition, plaintiffs noted that none of the computer cables or other accessories, except for two monitors, had been taken, nor were the computers taken closest to the door used to enter the facility, suggesting it was not the value of the equipment taken that motivated the thief. They also quoted from the search warrant affidavit of a district attorney's office investigator that the stolen computers were an "ideal source of PII [personally identifiable information] for the purposes of tax fraud or many other identity theft or fraud schemes." The investigator also opined the computers had been specifically targeted.
In a declaration submitted with their opposition papers, plaintiffs' expert James Van Dyke explained consumers' personally identifiable information "remains of high value to identity criminals." Although he stated costs range from under $10 to over $400 depending on quality, citing the Identity Theft Resources Center, he declared, on average, a criminal can purchase personally identifiable information from another criminal on the black market for somewhere between 12 and 16 dollars. He continued, "Estimates for health records range from $10 to $50 per individual."
Second, plaintiffs provided expert evidence refuting any suggestion it would be difficult to access unencrypted data on the stolen computers. Third, plaintiffs pointed to 10 known incidents of identity fraud or attempted identity theft by individuals affected by the security breach, including use of social security numbers to open fraudulent credit accounts, which they described as "close in time" to the Sutherland breach; and their cybersecurity expert, Christopher Tarbel, opined, to a reasonable degree of certainty, that the stolen data had been viewed and accessed by cybercriminals.
As to the negligence claim, plaintiffs argued they were entitled to recover the value of the personal information stolen from them (analogizing to the valuation of stolen access card account information in criminal cases to determine whether the theft is a felony or misdemeanor) and contended expenses incurred for credit monitoring and enhanced home security were also recoverable. Whether those damages were caused by 12 Sutherland and the County's negligence, they asserted, was a factual issue that was not properly decided on summary judgment. Finally, as to the County, plaintiffs argued their negligence claims were based on the County's breach of its statutory obligations under CMIA.
Concurrently with their opposition papers plaintiffs filed numerous (and detailed) evidentiary objections to Sutherland and the County's evidence, including to the declarations of Dr. Rogers and Dr. Holt, the two defense experts.
In their reply memorandum Sutherland and the County emphasized that only 10 (approximately) of the nearly 400, 000 individuals given notice of the theft of the Sutherland computers had alleged any attempted fraud or identity theft and none of those reports involved the misuse of medical information. Plaintiffs' circumstantial evidence, they argued, was at most speculation about how the information on the stolen computers might have been misused. All plaintiffs actually established was that it was technologically feasible for an unauthorized individual to break into the computers, the medical and personal data were more valuable on the black market than the hardware stolen, and the computers may have been specifically selected by the thief on some basis other than convenience. Quoting this court's Regents decision, they continued, "[T]he only conclusion supported by the record is that 'no one (except perhaps the thief) knows what happened . . .,' and therefore Plaintiffs cannot prove their 'medical records were, in fact, viewed by an unauthorized individual." 13
6. The Court's Ruling
Following oral argument on December 10, 2018, the court on December 19, 2018 issued a 14-page ruling, granting Sutherland and the County's motion. The court first found as to three of the plaintiffs (Galliano, Harasim and English) there were no CPT codes or other medical information pertaining to them in the stolen computers. Accordingly, the court granted the motion for summary adjudication as to the CMIA cause of action as to those three plaintiffs. Although there were CPT codes in the data concerning Kamon, the court agreed with Sutherland and the County that Kamon had presented no evidence her CPT codes disclosed confidential medical information. On that basis the court granted summary adjudication on the CMIA claim against Kamon.
The court overruled all 123 of plaintiffs' objections to defendants' evidence. As to objections 1-59 and 62-90 the court stated, "These are not objections to specific evidence. Rather, these are objections to facts set forth in Defendants' separate statement." No other explanation was given for overruling those objections or for any of the other objections.
Accepting Sutherland and the County's argument that a visible medical condition precluded a CMIA claim, the court also granted summary adjudication on that cause of action as to Cazarin notwithstanding the presence of confidential medical information concerning him within the data on the stolen computers.
In addition, as to Cazarin and the sixth plaintiff, Robinson, the court ruled their contention that anyone had actually viewed their confidential medical information required "layers of speculation." The court wrote, "At best, Plaintiffs have shown a 14 possibility that the password-protected (albeit unencrypted) confidential medical information on the stolen computers was viewed." But, the court ruled, quoting Sutter Health, supra, 227 Cal.App.4th at page 1558, "that is not the standard." The court concluded plaintiffs had not presented evidence from which a trier of fact could reasonably infer the computers were targeted for their data. In addition, observing that proof of an actual breach of confidentiality is required, not merely accessibility of the data, the court noted that none of the limited incidents of identity theft (or attempted identity theft) had involved Cazarin or Robinson and thus did not assist in demonstrating a triable issue of fact regarding the "actually viewed" element of their CMIA claim. Accordingly, the court granted the motion for summary adjudication of the CMIA claim as to Cazarin and Robinson.
Turning to the negligence claim, the court agreed with Sutherland and the County that plaintiffs had failed to present evidence of actual damages. The court rejected the contention the value of the stolen information is recoverable, pointing out that section 3336, cited by plaintiffs, pertains to the measure of damages for conversion, not negligence. The court then acknowledged that credit monitoring services can constitute actual damages in an action for failure to protect confidential personal information, but ruled plaintiffs had failed to show the required logical and temporal connection between the decision to purchase those services and the alleged breach, noting there had been no showing that any suspicious activity related to plaintiffs involved the type of information contained on the stolen computers. The court also found plaintiffs' proof of causation insufficient to raise a triable issue, explaining that four of the 15 plaintiffs had not been the victims of any attempted fraudulent activity and the cause of the incidents involving the other two plaintiffs was "purely speculative." The court granted summary adjudication on the negligence claim on both of those grounds.
With regard to the negligence claim against the County, the court ruled, to the extent based on a violation of a mandatory duty imposed by CMIA, it was duplicative of the CMIA claim. No other statute creating a mandatory duty allegedly breached by the County was properly pleaded in the operative complaint. Accordingly, summary adjudication on the negligence claim was granted as to the County for this additional reason.
7. The Motion To Seal Portions of the Ruling
On February 14, 2019, nearly two months after the court's ruling granting the motion for summary judgment, plaintiffs filed an unopposed application to seal portions of the court's order referring to "Plaintiffs' confidential and private medical information protected by the Court's Stipulated Protective Order." The court granted the motion in part, redacting information regarding Robinson from the public filing, but otherwise denied the motion. In its minute order the court explained, "[W]hile Plaintiffs 'continue to believe' that their medical information is private and confidential [fn. omitted], the Court agreed with Defendants' argument that the medical information of Plaintiffs (except Plaintiff Oswald Robinson) on the stolen computers was not confidential based on facts identified on page 5 of its Order. Those facts are critical to the Court's ruling, and the right of public access to the basis for the Court's ruling prevails."
Judgment was entered on March 12, 2019. Plaintiffs filed a timely notice of appeal. 16
DISCUSSION
1. Standard of Review
A motion for summary judgment is properly granted only when "all the papers submitted show that there is no triable issue as to any material fact and that the moving party is entitled to a judgment as a matter of law." (Code Civ. Proc., § 437c, subd. (c).) We review a grant of summary judgment de novo (Samara v. Matar (2018) 5 Cal.5th 322, 338) and, viewing the evidence in the light most favorable to the nonmoving party (Regents of University of California v. Superior Court (2018) 4 Cal.5th 607, 618), decide independently whether the facts not subject to triable dispute warrant judgment for the moving party as a matter of law. (Hampton v. County of San Diego (2015) 62 Cal.4th 340, 347; Schachter v. Citigroup, Inc. (2009) 47 Cal.4th 610, 618.) "Circumstantial evidence is just as good as direct evidence to create a triable issue of fact." (Hussey-Head v. World Savings & Loan Assn. (2003) 111 Cal.App.4th 773, 780.)
2. Governing Law: CMIA
As defined by CMIA, "'Medical information' means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment." (§ 56.05, subd. (j).) "This definition 17 does not encompass demographic or numeric information that does not reveal medical history, diagnosis, or care. . . . [¶] . . . [T]he mere fact that a person may have been a patient at the hospital at some time is not sufficient." (Eisenhower Medical Center v. Superior Court (2014) 226 Cal.App.4th 430, 435.) In addition, "[c]onfirmation that a person's medical record exists somewhere is not medical information as defined under the CMIA." (Id. at p. 436.)
Section 56.05, subdivision (j), defines "Individually identifiable" for purposes of CMIA as meaning that "the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity."
CMIA prohibits health care providers and related entities from disclosing medical information regarding a person without authorization in certain specified instances (§ 56.10) and imposes a duty on health care providers who create, maintain or dispose of medical information to do so in a manner that preserves the confidentiality of that information (§ 56.101, subd. (a)). Any provider who negligently creates, maintains or disposes of medical information is subject to the remedies and penalties "provided under subdivisions (b) and (c) of Section 56.36" (§ 56.101, subd. (a)), which include actual damages suffered by the patient or nominal damages of $1,000 (§ 56.36, subd. (b)(1), (2)).
The private cause of action to enforce the duty imposed by section 56.101, subdivision (a), requires "pleading, and ultimately proving, that the confidential nature of the plaintiff's medical information was breached as a result of the health care provider's negligence." (Regents, supra, 220 Cal.App.4th at p. 570; accord, Sutter Health, supra, 227 Cal.App.4th at p. 1555 ["without an actual confidentiality breach, a health care provider has not violated section 56.101 and therefore does not invoke the remedy 18 provided in section 56.36"].) That is, although a patient need not plead and prove the health care provider engaged in some affirmative conduct leading to an unauthorized third party's access to confidential medical information (Regents, at p. 565 & fn. 12), more than loss of possession of records containing the confidential medical information must be shown. (Sutter Health, at p. 1557 ["[i]t is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of [CMIA]"]; Regents, at p. 570 ["more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information"].)
3. Plaintiffs Failed To Demonstrate Triable Issues of Fact as to Whether Their Confidential Medical Information Was Improperly Viewed or Otherwise Accessed
Acknowledging there is no direct evidence the confidentiality of the stolen medical information had been breached, plaintiffs argue on appeal it is a reasonable inference from the circumstantial evidence they proffered in opposition to the motion for summary judgment-the apparent targeting of the eight computers, the thief's decision not to steal other types of equipment (other than two monitors), the far greater black market value of the confidential data on the computers than the value of the stolen hardware, the unencrypted nature of those data, the relative ease with which they could be accessed, and at least 10 incidents of identity theft close in time to the incident- that the confidential medical information had been viewed or otherwise accessed by the thief or other unauthorized individuals, creating a triable issue of fact on that essential element of their CMIA cause of action. 19
Sutherland and the County dispute the significance of this inference, arguing it is only one of several possibilities and thus insufficient to defeat summary judgment, quoting Leslie G. v. Perry & Associates (1996) 43 Cal.App.4th 472, 483 (Leslie G.), which held, "Where, as here, the plaintiff seeks to prove an essential element of her case by circumstantial evidence, she cannot recover merely by showing that the inferences she draws from those circumstances are consistent with her theory. Instead, she must show that the inferences favorable to her are more reasonable or probable than those against her." It may have just been a "smash and grab" burglary, Sutherland and the County argue. Or it may have been a scheme of corporate sabotage intended to persuade the County to move the lucrative contract for patient billing and payment services to one of Sutherland's competitors based on Sutherland's demonstrated lack of security. And even if the computers were targeted, the motivation may have been the personally identifiable information they contained, such as social security numbers, rather than medical information. Each of these alternate theories, Sutherland and the County posit, are consistent with certain of the facts known about the burglary.
Sutherland and the County's assertion that it is the role of the trial court on summary judgment-or this court when conducting its de novo review-to determine which of several reasonable but conflicting inferences is more probable directly conflicts with Code of Civil Procedure section 437c, subdivision (c), which provides, "[S]ummary judgment shall not be granted by the court based on inferences reasonably deducible from the evidence if contradicted by other inferences or evidence that raise a triable issue as to any material fact." Indeed, as 20 Justice Miriam Vogel, the author of Leslie G., explained in rejecting an expansive interpretation of that decision several years later in Hussey-Head v. World Savings & Loan Assn., supra, 111 Cal.App.4th at page 780, citing and quoting Saelzler v. Advanced Group 400 (2001) 25 Cal.4th 763, 767, all that is necessary for a plaintiff opposing summary judgment is to "create a reasonable inference" the defendant violated the statute at issue, since, "to prevail by summary judgment, the moving party must establish that '"under no hypothesis is there a material issue of fact that requires the process of trial."'" (Accord, Savaikie v. Kaiser Foundation Hospitals (2020) 52 Cal.App.5th 223, 229-230 ["'[g]enerally, when conflicting inferences can be reasonably drawn from the evidence, a triable issue of fact is deemed to exist'"]; Pierson v. Helmerich & Payne Internat. Drilling Co. (2016) 4 Cal.App.5th 608, 627 [same].)
The deficiency in plaintiffs' CMIA proof is not their failure to create triable issues of fact concerning the motivation for the burglary and the likelihood some of the stolen medical information was viewed or otherwise accessed, but their lack of evidence that plaintiffs' confidential medical information was compromised. The private cause of action for negligent release of confidential medical information created by sections 56.36, subdivision (b), and 56.101, subdivision (a), like the right of privacy itself, "is purely a personal one." (See Regents, supra, 220 Cal.App.4th at p. 563 & fn. 6.) A patient may sue for statutory damages for a breach of confidentiality only if the compromised information "concern[ed] him or her." (§ 56.36, subd. (b); see Regents, at p. 563 ["[a]t the very least, the information potentially compromised as a result of the negligent conduct must relate to the individual initiating the action"].) 21
Plaintiffs do not challenge the trial court's ruling that no confidential medical information concerning Galliano, Kamon or English was stored on the stolen computers. Although they have not made the same express concession regarding Harasim and contest the trial court's finding that she waived any confidentiality because an aspect of her medical condition was publicly visible-an issue we need not address-they have not argued the trial court erred in its additional finding that there were no CPT codes or other confidential medical information concerning her on the stolen computers. As to these four plaintiffs, then, the court's order granting summary adjudication of the CMIA cause of action must be affirmed.
What about Cazarin and Robinson, the remaining two plaintiffs? As discussed, data on the stolen computers included information (medical information, personally identifiable information or both) for more than 340, 000 patients at county health care facilities. According to plaintiffs, after eliminating duplications, there were approximately 460, 000 unique documents stored on the eight computers. No single document or discrete set of documents contained all relevant patient information.
Even if plaintiffs' circumstantial evidence supports the reasonable inference that the confidentiality of some of those patients' medical information was breached following the theft, there is no evidentiary basis-reasonable or otherwise-for inferring that the confidential medical records of Cazarin or Robinson were among them. As the trial court emphasized, none of the approximately 10 incidents of identity theft or attempted identity fraud arguably linked to the Sutherland burglary involved either Cazarin or Robinson. While it is certainly true, as 22 plaintiffs contend, that being a victim of identity fraud is not an element of a CMIA claim-the confidential medical information need only be viewed or accessed, not used-evidence that one type of confidential information had been accessed and used would have supported an inference other aspects of that patient's stolen data had been viewed, as well. Plaintiffs identified nothing else in the record that would permit a jury to find that records specific to Cazarin or Robinson were among those opened or actually viewed following the theft of the computers, assuming any records were.
Ultimately, then, the argument that Cazarin's and Robinson's CMIA claims survive summary judgment depends on the contention the circumstantial evidence created a reasonable inference, and thus a triable issue, not only that some of the confidential medical information on the stolen computers was viewed but that all of it was. As to this inference, too, there is no evidentiary basis. To the contrary, defendants' experts opined that a criminal who intended to mine the stolen information for sale would likely have employed an automated process that targeted specific types of data and would limit any manual review to spot checking to assist that process. The volume of data and variety of attachments, they explained, would have made it infeasible for anyone to manually view all the data even if the contents of the hard drives were accessed. Plaintiffs did 23 not dispute that overall assessment, contesting only the degree of difficulty in viewing unencrypted data on a password protected computer while essentially agreeing a manual review of all data would be unnecessary to effect the data theft. Evidence that suggests data might have been transferred through an automated process from one set of computers to another without some indication all the data were viewed, directly or indirectly, falls short of creating a triable issue whether the confidentiality of medical information personal to Carazin or Robinson was breached. 24
On appeal plaintiffs contend the trial court's "blanket" overruling of all 123 of its objections to defendants' evidence with little or no explanation was an abuse of discretion. Citing primarily Nazir v. United Airlines, Inc. (2009) 178 Cal.App.4th 243, they assert such a ruling affords no meaningful basis for review and could be treated as a failure to rule at all. They may be correct. But if plaintiffs intended that we disregard on appeal the evidence presented by defendants' experts, it was their burden to renew their objections and present arguments that would support sustaining them. (See Reid v. Google, Inc. (2010) 50 Cal.4th 512, 534 ["presumptively overruled objections can still be raised on appeal, with the burden on the objector to renew the objections in the appellate court"].) Their opening brief entirely fails to do that, and their reply brief is only minimally better. Accordingly, we consider defendants' expert reports to this limited extent. (See People v. Tully (2012) 54 Cal.4th 952, 1075; Sweetwater Union High School Dist. v. Julian Union Elementary School Dist. (2019) 36 Cal.App.5th 970, 987.)
Plaintiffs in their reply brief emphasize that in Regents, supra, 220 Cal.App.4th 549, we referred to "viewed or otherwise accessed," not simply "viewed" and suggest, without elaboration, the "accessed" standard is somehow broader than "viewed" and that under this more expanded interpretation of CMIA Cazarin's and Robinson's claims survive. Plaintiffs misapprehend the import of that language. In Regents we rejected the argument a private cause of action under Civil Code sections 56.36, subdivision (b), and 56.101 requires pleading and proof of an affirmative disclosure by the health care provider. In doing so, we considered regulatory safeguards in the Health and Safety Code, enacted some years after the CMIA provisions at issue in the case, that expressly addressed "'unlawful or unauthorized access to'" confidential medical information, as well as its unauthorized "'use or disclosure.'" (See Regents, at p. 568.) The argument advanced was that "negligently release[ ]" in Civil Code section 56.36, subdivision (b), must mean more than permitting unauthorized "access to" because the Legislature used that term in the new regulatory protections when it meant it. Not so, we held. Nothing in those newer statutes or their legislative history indicated the Legislature in providing additional protections for confidential medical information intended to modify or displace existing private remedies for the negligent storage or disposal of such information, which did not require affirmative disclosures. (Regents, at p. 568) However, because the Legislature had used "access" to refer to the concept we held encompassed by "negligently released," the statutory term at issue in Regents, we did as well.
4. Plaintiffs Established Triable Issues of Fact Regarding Actual Damages and Causation for Purposes of Their Negligence Claim
To establish a prima facie case of negligence, a plaintiff must prove the defendant owed a duty to the plaintiff, the defendant breached that duty, and the defendant's breach proximately caused the plaintiff damage. (Lockheed Martin Corp. v. Superior Court (2003) 29 Cal.4th 1096, 1106; Paz v. State of California (2000) 22 Cal.4th 550, 559.) In moving for summary judgment Sutherland and the County did not challenge plaintiffs' ability to prove duty or breach, arguing only that they lacked evidence of causation and damage. (See Jimenez v. Superior Court (2002) 29 Cal.4th 473, 483 ["'appreciable, nonspeculative, present injury is an essential element of a tort cause of action'"].)
Effectively conflating those arguments, the trial court ruled, although under certain circumstances the costs incurred 25 for credit monitoring services were recoverable as damages in a data breach case (as it had concluded when overruling Sutherland and the County's demurrer to the negligence cause of action), those costs did not qualify as actual damages here because plaintiffs had failed to present evidence there was a "'logical and temporal connection between the decision to purchase credit monitoring services and the defendant's alleged breach.'"
We agree credit monitoring costs and other economic losses incurred to combat potential identity theft are recoverable as damages if the remaining elements of a negligence claim arising from the breach of confidentiality of medical or personally identifiable information have been proved. The right to recover the cost of periodic monitoring due to an increased risk of future injury created by a defendant's negligent conduct is well-established in California tort law. In Potter v. Firestone Tire & Rubber Co. (1993) 6 Cal.4th 965, a case involving the illegal dumping of toxic water materials, the Supreme Court held expenditures for prospective medical testing and evaluation that would be unnecessary absent wrongful exposure are "'detriment proximately caused'" by negligent disposal of toxic substances. (Id. at p. 1005.) Accordingly, the Court held, "[T]he cost of medical monitoring is a compensable item of damages where the proofs demonstrate, through reliable medical expert testimony, that the need for future monitoring is a reasonably certain consequence of a plaintiff's toxic exposure and that the 26 recommended monitoring is reasonable." (Id. at p. 1009;see Lockheed, supra, 29 Cal.4th at p. 1105 ["Potter simply specified for the medical monitoring context the traditional requirement that a plaintiff prove causation of damage. Thus, while in Potter we 'ma[de] it clear that the monitoring must be "additional or different"' than that previously required [citation], we just as clearly stated that 'if additional or different tests and examinations are necessitated as a result of the toxic exposure caused by the defendant, then the defendant bears full responsibility for their costs'"].) It is an entirely appropriate application of the principles underlying Potter's holding that the cost of prospective medical monitoring is cognizable injury in a negligence action to impose responsibility for the cost of credit monitoring services on defendants found liable for a data breach if plaintiffs prove causation. 27
Although the stolen computers contained only Cazarin's and Robinson's confidential medical information, all six plaintiffs' personally identifiable information was among the data on the computers.
Expanding on its holding the Supreme Court stated, "In determining the reasonableness and necessity of monitoring, the following factors are relevant: (1) the significance and extent of the plaintiff's exposure to chemicals; (2) the toxicity of the chemicals; (3) the relative increase in the chance of onset of disease in the exposed plaintiff as a result of the exposure, when compared to (a) the plaintiff's chances of developing the disease had he or she not been exposed, and (b) the chances of the members of the public at large of developing the disease; (4) the seriousness of the disease for which the plaintiff is at risk; and (5) the clinical value of early detection and diagnosis. Under this holding, it is for the trier of fact to decide, on the basis of competent medical testimony, whether and to what extent the particular plaintiff's exposure to toxic chemicals in a given situation justifies future periodic medical monitoring." (Potter v. Firestone Tire & Rubber Co., supra, 6 Cal.4th at p. 1009.)
As the district court explained in Huynh v. Quora, Inc. (N.D.Cal. 2020) 508 F.Supp.3d 633 in denying a motion for summary judgment in a putative class action asserting claims under California law for negligence and violation of the UCL following a data breach, although "California courts have not considered whether time and money lost to credit monitoring from the future threat posed by compromised PII are damages to support a negligence claim" (id. at p. 649), "courts confronting the issue in this Circuit have extended the toxic tort exception to data breach cases in which PII is compromised." (Id. at p. 650.) The Huyn court cited decisions from the Northern District, Central District and Southern District of California before ruling, "[T]his Court agrees with Plaintiff that the time and money she spent on credit monitoring in response to the Data Breach is cognizable harm to support her negligence claim." (Ibid.; accord, Schmitt v. SN Servicing Corp. (N.D.Cal., Aug. 9, 2021, No. 21-cv-3355-WHO) 2021 U.S.Dist. Lexis 149252, *18 ["t]he money and time plaintiffs spent on credit monitoring are both cognizable forms of harm"]; see Lewert v. P.F. Chang's China Bistro, Inc. (7th Cir. 2016) 819 F.3d 963, 967 [plaintiffs' alleged injuries- "the increased risk of fraudulent charges and identity theft they face because their data has already been stolen"-"are concrete enough to support a lawsuit"]; Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016) 663 Fed.Appx. 384, 388 28 ["[A]lthough it might not be 'literally certain' that Plaintiffs' data will be misused [citation], there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable. Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse-a fraudulent charge on a credit card, for example-before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps"]; but see Tsao v. Captiva MVP Restaurant Partners, LLC (11th Cir. 2021) 986 F.3d 1332, 1340, 1345 [explaining the Sixth, Seventh, Ninth and D.C. Circuits have all recognized a plaintiff can establish injury-in-fact based on the increased risk of identity theft following a data theft, while the Second, Third, Fourth and Eighth Circuits have declined to find standing on that theory, and concluding in the case before it the plaintiffs' mitigation costs did not constitute actual injury: "Tsao cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft"].)
Like Sutherland and the County, the defendant in Huynh v. Quora, Inc., supra, 508 F.Supp.3d 633 moved for summary judgment because "[p]laintiff has not suffered identity theft and asserts that she has voluntarily attempted to repair any hypothetical threat of future harm by temporarily purchasing credit monitoring services and monitoring her accounts." (Id. at p. 649.)
As for causation, a question of fact that generally cannot be decided on summary judgment (see State Dept. of State Hospitals v. Superior Court (2015) 61 Cal.4th 339, 353; Shih v. Starbucks Corp. (2020) 53 Cal.App.5th 1063, 1071), plaintiffs presented expert testimony concerning the increased risk of identity theft resulting from data theft and the steps breach victims should take to avoid identity theft as a result of data theft, including purchasing fraud protection programs and monitoring credit bureaus. They also submitted evidence they had incurred costs and suffered other forms of economic loss as a result of the data theft, including credit monitoring expenses. Moreover, following 29 the theft of the computers, "because of the type of personal information involved," Sutherland "encourage[d]" all of the County health care patients affected by the incident, including plaintiffs, "to take steps to protect yourself from identity theft" by, among other things, subscribing for a one-year credit monitoring program it was providing, along with a $20,000 insurance reimbursement policy. This evidence was more than sufficient to create a triable issue of fact concerning causation- the temporal and logical relationship between Sutherland and the County's negligence and the actual damages allegedly suffered by plaintiffs.
It will be the trial court's responsibility to instruct the jury concerning plaintiffs' burden to prove the necessity for, and reasonableness of, the mitigation measures for which they seek recovery, translating into this context the five factors the Supreme Court identified in Potter v. Firestone Tire & Rubber Co., supra, 6 Cal.4th at page 1009 as relevant to the determination whether future periodic medical monitoring was justified. (See fn. 10.)
5. The County Is Not Immune from a Negligence Claim Predicated on Its Breach of Duty To Preserve the Confidentiality of Medical Information
There is no common law tort liability for public entities in California. "Under the Government Claims Act [citation], governmental tort liability must be based on statute." (B.H. v. County of San Bernardino (2015) 62 Cal.4th 168, 179 (B.H.); see Gov. Code, § 815, subd. (a) ["[e]xcept as otherwise provided by statute: [¶] . . . [a] public entity is not liable for an injury, whether such injury arises out of an act or omission of the public entity or a public employee or any other person"].) Government Code section 815.6 provides one of the statutory exceptions to this 30 general rule of public entity immunity: "Where a public entity is under a mandatory duty imposed by an enactment that is designed to protect against the risk of a particular kind of injury, the public entity is liable for an injury of that kind proximately caused by its failure to discharge the duty unless the public entity establishes that it exercised reasonable diligence to discharge the duty." (See Haggis v. City of Los Angeles (2000) 22 Cal.4th 490, 499-500 ["section 815.6 provides that the public entity 'is liable' for an injury proximately caused by its negligent failure to discharge the duty"].)
"Government Code section 815.6 has three elements that must be satisfied to impose public entity liability: (1) a mandatory duty was imposed on the public entity by an enactment; (2) the enactment was designed to protect against the particular kind of injury allegedly suffered; and (3) the breach of the mandatory statutory duty proximately caused the injury. Even when a duty exists, California has enacted specific immunity statutes that, if applicable, prevail over liability provisions." (B.H., supra, 62 Cal.4th at p. 179.)
In the factual background portion of the operative pleading, plaintiffs alleged under CMIA and the Health Insurance Portability and Accountability Act of 1966 (HIPAA) the County had a nondelegable and mandatory duty to take appropriate measures to protect the confidentiality of the medical records of patients treated at County facilities, which it violated in several specific ways. In the second cause of action for negligence plaintiffs incorporated those background allegations by reference and expressly alleged the County (and Sutherland) breached their duty of care to plaintiffs and members of the putative class 31 by failing to properly protect the medical records of the County's health care patients.
The trial court ruled those seemingly adequate allegations of liability were insufficient to overcome the County's immunity because, to the extent based on CMIA, the negligence cause of action was duplicative of the CMIA claim and, to the extent based on Government Code section 815.6, plaintiffs had failed to allege that statute in the operative pleading. Neither rationale supports the court's finding the County is immune.
As to the first ground, the two causes of action are not identical. As discussed, to prove a violation of CMIA, plaintiffs needed to establish not only that the County was negligent in its creation, maintenance or storage of medical information, but also that the confidentiality of that information had been breached. In contrast, no proof of unauthorized access to the confidential information is required for the cause of action based on the County's negligent breach of its mandatory duty to safeguard the medical information of the patients it served. Conversely, no actual damages need be proved in the CMIA cause of action; statutory damages would be available if any of the plaintiffs could prove a CMIA violation. Actual damages are an essential element of the negligence claim. 32
In supplemental responses to the County's interrogatories served more than two years before the trial court heard the summary judgment motion, plaintiffs stated, subject to various objections, that they and the class members were seeking statutory damages available under CMIA without also identifying actual damages they may have suffered. In its reply memorandum in support of summary judgment, but not its moving papers, the County argued plaintiffs had forfeited their claim to credit monitoring services as damages. In granting summary adjudication in favor of Sutherland and the County on the negligence cause of action, however, the trial court did not adopt that argument, ruling those expenses were too speculative to be recoverable as damages. We, likewise, do not consider this claim for actual damages forfeited.
The trial court's second ground for finding immunity was based on a misapplication of the general principle that, to assert liability under Government Code section 815.6 for breach of a mandatory duty, the plaintiff "'"must specifically allege the applicable statute or regulation."'" (Washington v. County of Contra Costa (1995) 38 Cal.App.4th 890, 896, quoting Brenneman v. State of California (1989) 208 Cal.App.3d 812, 817.) Although it is somewhat unclear from the opinion in Cerna v. City of Oakland (2008) 161 Cal.App.4th 1340, 1349-1350, the case the trial court cited to support its ruling, the requirement is that the plaintiff specifically identify the statute that created the mandatory duty-here CMIA and HIPAA, which plaintiffs expressly alleged-not that the pleading cite section 815.6. (See, e.g., In re Groundwater Cases (2007) 154 Cal.App.4th 659, 689 ["[a] plaintiff seeking to hold a public entity liable under Government Code section 815.6 must specifically identify the statute or regulation alleged to create a mandatory duty"]; Searcy v. Hemet Unified School Dist. (1986) 177 Cal.App.3d 792, 802 ["[s]ince the duty of a governmental agency can only be created by statute or 'enactment,' the statute or 'enactment' claimed to establish the duty must at the very least be identified"].) Government Code section 815.6 is certainly "[t]he gateway to recovery." (Washington, at p. 896.) But it is not the statute that creates the mandatory duty upon which plaintiffs seek recovery 33 and need not be identified in the complaint in order to be discussed when opposing a motion for summary judgment.
The court in Cochran v. Herzog Engraving Co. (1984) 155 Cal.App.3d 405, which the County cites in support of its contention the absence of a citation to Government Code section 815.6 in the operative pleading dooms plaintiffs' claim, noted that, "[t]o state a cause of action against a public entity, every fact material to the existence of its statutory liability must be pleaded with particularity." (Cochran, at p. 414, fn. 2.) Plaintiffs have done just that-pleading all facts material to their negligence claim.
In its brief in this court the County adds a third argument, contending, even if the CMIA and negligence causes of action are not duplicative and plaintiffs adequately pleaded CMIA as the statutory basis for the mandatory duty it breached, they are still asserting a common law tort claim (albeit one effectively for negligence per se), barred by governmental immunity, not a statutory claim authorized by Government Code section 815.6. Yet as the County recognizes elsewhere in its brief, this court upheld just such a cause of action for negligence against a public entity based on the doctrine of negligence per se in Alejo v. City of Alhambra (1999) 75 Cal.App.4th 1180, 1184, disapproved on another ground in B.H., supra, 62 Cal.4th at page 188, footnote 6. (See Lehto v. City of Oxnard (1985) 171 Cal.App.3d 285, 292 ["Government Code section 815.6 applies to public entities the familiar rule of tort law that violation of a legislatively prescribed standard of care creates a rebuttable presumption of negligence"].) In sum, the trial court erred in granting the County's motion for summary adjudication as to plaintiffs' negligence cause of action based on governmental immunity. 34
6. On Remand Plaintiffs Should Have the Opportunity To Renew Their Motion for Leave To Amend
We review the denial of a motion for leave to amend a complaint for abuse of discretion. (Branick v. Downey Savings & Loan Assn. (2006) 39 Cal.4th 235, 242 [leave to amend a complaint is entrusted to the sound discretion of the trial court]; Foroudi v. The Aerospace Corp. (2020) 57 Cal.App.5th 992, 1000; Bettencourt v. Hennessy Industries, Inc. (2012) 205 Cal.App.4th 1103, 1111.) Although "[a] trial court has wide discretion to allow the amendment of pleadings, and generally courts will liberally allow amendments at any stage of the proceeding" (Falcon v. Long Beach Genetics, Inc. (2014) 224 Cal.App.4th 1263, 1280), unreasonable delay alone can justify denial of a motion for leave to amend. (Huff v. Wilkins (2006) 138 Cal.App.4th 732, 765 ["'"even if a good amendment is proposed in proper form, unwarranted delay in presenting it may-of itself-be a valid reason for denial"'"]; see P&D Consultants, Inc. v. City of Carlsbad (2010) 190 Cal.App.4th 1332, 1345; Record v. Reason (1999) 73 Cal.App.4th 472, 486-487; see also Green v. Rancho Santa Margarita Mortgage Co. (1994) 28 Cal.App.4th 686, 692 ["[t]here is a platoon of authority to the effect that a long unexcused delay is sufficient to uphold a trial judge's decision to deny the opportunity to amend pleadings, particularly where the new amendment would interject a new issue which requires further discovery"].)
Here, the trial court denied plaintiffs' motion based on both delay, finding that the newly discovered information should have been known much earlier notwithstanding plaintiffs' argument to the contrary, and prejudice, due to the pendency of Sutherland and the County's summary judgment motion and the impact of 35 an amendment on the timing for that motion, as well as the court's case management plan. It would be difficult to conclude that ruling was an abuse of discretion: "[W]hen a plaintiff seeks leave to amend his or her complaint only after the defendant has mounted a summary judgment motion directed at the allegations of the unamended complaint, even though the plaintiff has been aware of the facts upon which the amendment is based, '[i]t would be patently unfair to allow plaintiffs to defeat [the] summary judgment motion by allowing them to present a "moving target" unbounded by the pleadings.'" (Falcon v. Long Beach Genetics, Inc., supra, 224 Cal.App.4th at p. 1280; accord, Melican v. Regents of University of California (2007) 151 Cal.App.4th 168, 176.)
The circumstances on remand will be far different from those existing when the court considered plaintiffs' motion: The summary judgment motion has been resolved; the CMIA cause of action dismissed; and the nature of the damages at issue in the remaining negligence claim defined and limited. Whatever remained from the court's original case management plan will need to be revised. Accordingly, to the extent plaintiffs continue to believe they have viable claims for breach of contract or violation of the UCL, they should be permitted to renew their motion for leave to amend. The trial court, of course, retains its discretion to grant or deny any such motion in light of the current procedural posture of the case.
7. The Order Denying in Part the Motion To Seal Portions of the Trial Court's December 19, 2018 Ruling Must Be Revised
We agree with the trial court's general observation that the considerations under California Rules of Court, rule 2.550(d) in 36 deciding whether to seal papers filed by the parties are not identical to those involved in determining whether to redact previously sealed material when referred to in a court order. Nonetheless, "medical records are constitutionally private and statutorily confidential." (Oiye v. Fox (2012) 211 Cal.App.4th 1036, 1070.) A person's medical history "'falls within the zone of informational privacy protected' by the state and federal Constitutions." (Id. at p. 1068.) Accordingly, great care should be taken before disclosing in a court ruling previously sealed medical information concerning identifiable parties.
With respect to Galliano, English and Kamon, the trial court ruled there was no confidential medical information concerning them on the stolen computers. Accordingly, there was no reason to describe their medical conditions in the ruling. As to Harasim, although the court also found no confidential medical information pertaining to her was contained on the stolen computers, it additionally ruled Harasim had publicly disclosed enough information about her medical condition to preclude a CMIA claim. Making the minimal redactions (less than a dozen words) requested on page 6 of the ruling would not interfere with a reader's ability to understand the court's analysis of this point as to Harasim. Similarly, the explanation that Carazin's medical condition was visible to others and, therefore, not confidential, need not include a description of that condition. As for the court's concern it ought not redact information it had found was not confidential, pending a decision in this court affirming the trial court's ruling, Harasim and Carazin were entitled to have the information treated as confidential. And since we do not find it necessary to decide the issue, they remain entitled to that degree of privacy protection. 37
We agree with the trial court that the information plaintiffs requested be redacted on pages other than five and six of the ruling do not relate to medical information and properly remain part of the publicly filed ruling.
DISPOSITION
The judgment is reversed. On remand the trial court is to enter a new order granting the motion for summary adjudication as to the CMIA cause of action and denying the motion as to the negligence cause of action. The trial court is further ordered to seal the portions of its December 19, 2018 ruling that contain specific medical or health-related information concerning any of the plaintiffs.
The parties are to bear their own costs on appeal.
We concur: SEGAL, J., FEUER, J. 38