You have a chart in your records system for a patient you haven't billed in eighteen months. She moved to Los Angeles for a tech job last year. You wished her well. You haven't thought about her since.
Your records system still has her chart. Your billing service still has her claim history. Your AI scribe still has the transcripts. Your intake form vendor still has her signed forms.
None of that left when she did.
Last week, the state privacy law that covers her — and everyone else like her — quietly expanded what counts as a breach.
The new rules, in plain English
The California Supreme Court ruled last Wednesday on a data breach case involving an ed-tech company.[1] The case itself is technical. The operational fallout is simple.
Three things changed for any practice handling a California resident's records.
First, more vendors got pulled in. Your records system, your AI scribe, your billing service, your scheduling tool, your intake form software — anything that touches patient health data is now treated like a healthcare provider under California law.[2] The exposure no longer stops at your front door.
Second, the bar to file a class action dropped. Before last week, a plaintiff had to prove someone actually accessed their information. Now they just have to prove it was exposed. No one needs to be hurt for the lawsuit to move forward.
Third, statutory damages apply even without proof of harm. Per affected person, the amount is small. Multiplied across a class of three hundred patients, the math stops being small.
Federal courts are moving the other direction. A federal judge in Wisconsin tossed a similar case earlier this month because the plaintiffs could not show concrete injury.[3] Plaintiff firms now know where to file: California state court.
Why this lands on solo and small-group practice
The instinct says: this is a hospital problem. It is not.
Every practice that has been open for more than a year has at least one patient who has moved out of state. Some moved for school. Some moved for jobs. Some moved for family. If even one of them now lives in California, you are within reach of last week's ruling. Their data is still in your records system. Their claim history is still in your billing service. Their session notes are still in your AI scribe. Their consent forms are still in your intake software.
You may not think of it as out-of-state data. The court does.
For practices that do any telehealth, the exposure compounds. A patient with one foot in your state and one foot in California — the snowbird, the college student, the family caregiver with two addresses — sits in the gap between two state privacy regimes. The California one just got harder to navigate.
The vendor side is where this gets operationally heavy. Your scheduling tool, your billing service, your records system, your AI scribe, your telehealth platform, your texting app — every one of them may now be subject to the stricter California standard for any patient who lives there. Most of these vendors have no idea this happened. Most of their contracts with you do not contemplate it.
For New York practitioners, this should feel familiar
If you practice in New York, the SHIELD Act already taught you what happens when a state's privacy regime follows the patient instead of the provider. SHIELD made New York the regime that reaches anyone handling a New York resident's data, no matter where the company is based. California just did the same thing through case law instead of statute. The mechanic is the same. The states that follow next will pick one approach or the other. The practical move is to plan for both before either reaches you.
The "I'm not in California" mistake
The most common reaction to all of this is "I'm not in California, so this doesn't apply to me."
The geography that matters is your patient's, not yours. The statute reaches anyone handling a California resident's information. The new ruling just made that reach actionable in ways it was not before.
The second-most-common reaction is "my vendors handle that." This is the reaction plaintiff firms count on. Your patient signed a treatment relationship with you. The chain of vendors you assembled to deliver that treatment is your responsibility. The class action will name you and your vendors together and let the apportionment get worked out in settlement.
The math is not theoretical. Two healthcare class actions settled last week — Duke Health for $3.74 million[4] and Southern Illinois Healthcare in a separate case[5] — both over tracking technology on their websites. Both stayed in state court precisely because the federal forum had become unfriendly to plaintiffs. The California state forum just became friendlier still.
Three things to do this week
One. Find out where your patients live. Not where you treated them. Not where they were when they signed up. Where they actually reside today. Pull up your intake form and check whether you capture a state-of-residence field. If you don't, add one. The information is one most patients volunteer on their first call. It just needs to land in a field where you can find it later.
Two. List every vendor that holds patient data. Records system. Billing service. AI scribe. Scheduling tool. Telehealth platform. Patient portal. Texting app. Intake form software. Payment processor. For each one, ask whether they currently hold data on patients who live in California. If yes, that vendor is now subject to a stricter standard. Your next contract review with them should reflect it. Most of these vendors do not know yet that the rules changed. You may be the one who tells them.
Three. Open your annual risk assessment and find the data-flow section. If California-resident patient data is not mapped — meaning you do not actually know where it goes once it leaves your practice — the next twelve months will be the wrong time to find out. The point of a risk assessment is to surface this kind of question before a plaintiff firm does. If yours has not been updated in a year, it is almost certainly silent on the question that just became expensive.
The plaintiff bar has been waiting for this ruling since at least 2019. The defense bar will spend the next year explaining to clients what changed. The practices that learn about it from their cyber-insurance carrier's renewal premium increase will learn about it too late. The underwriting decision will already have been made.
|
The risk assessment that maps where California-resident data flows.
The Encrypted Chart Vault includes the annual risk assessment template calibrated for independent practice. It maps data flows in plain language so you can spot the state-law problem before a plaintiff firm does. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
|
| With security, |
| Brad |
| Brad Lieberman, JD (retired), MSN, PMHNP-BC |
| Founder, The Encrypted Chart |
| www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder |
| Brad@encryptedchart.com |
- J.M. v. Illuminate Education, Inc., California Supreme Court, Case No. S286699, decided May 14, 2026. Analysis: Nixon Peabody alert.
- California Confidentiality of Medical Information Act, Cal. Civ. Code §§ 56 et seq. California Legislative Information.
- Brahm v. Hospital Sisters Health System, No. 23-CV-444, U.S. District Court for the Western District of Wisconsin, May 1, 2026. Analysis: Duane Morris analysis.
- Williams v. Duke University Health System, Inc., $3.74M MyChart class-action settlement announced May 20, 2026. Settlement details.
- Doe v. Southern Illinois Healthcare Enterprises, Inc., website tracking class-action settlement, May 2026. Settlement details.
