Skip to main content

California Confidentiality of Medical Information Act (CMIA)

The Lyon Firm is actively involved in Class Action CMIA Violations Lawsuits on behalf of plaintiffs
Nationwide Success

Health Privacy Lawyer

Investigating Data Privacy & CMIA Violation Lawsuits

More and more frequently, hospitals and other healthcare entities are reported for alleged privacy violations. Many patients and health plan customers don’t know immediately how these privacy breaches impact them, though for most individuals, it can be quite damaging to future privacy.

The Lyon Firm is reviewing the California Confidentiality of Medical Information Act (CMIA) for plaintiffs and accepting class action health privacy claims nationwide.

Our medical information and medical history should be kept private at all costs, which is why California has gone above and beyond federal regulations and adopted comprehensive protections for consumers and patients–a necessary safeguard against breaches of doctor-patient confidentiality and widespread personal privacy violations.

Because medical providers, health care companies, and third-party vendors are often careless with regard to data security, medical information is compromised, leaving individuals vulnerable to medical identity theft.

But are there consumer protections in place? Yes, and individuals can take legal action.

Does HIPAA Take Precedence over CMIA?

The Health Insurance Portability and Accountability Act (HIPAA) is meant to protect patient health information at the federal level, and the California Confidentiality of Medical Information Act (CMIA) takes the protections even more seriously. The California law states that when medical information has been improperly disseminated, individuals can initiate lawsuits and seek compensatory damages.

If you believe your personal medical information has been used without your consent and in violation of HIPAA or CMIA, you may be able to hold those responsible accountable. The Lyon Firm attorneys offer no-cost and confidential consultations regarding California confidentiality laws.

How Does the CMIA differ from HIPAA?

The Confidentiality of Medical Information Act (CMIA) is a California law that protects the privacy of individually identifiable medical information obtained by health care providers, health insurers, and their contractors.  

In short, the CMIA prohibits health care providers from disclosing sensitive medical information without first obtaining authorization, and requires health care providers that collect and store medical information to do so in a properly secure manner.

Under the new California confidentiality laws (CMIA), “medical information” is defined as any individually identifiable information in possession of or derived from “a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” 

CMIA’s reach goes beyond medical professionals and doctor-patient confidentiality – the medical privacy act statute also allows individuals to seek compensation when any “person or entity” uses medical information “knowingly or willfully,” and “for the purpose of financial gain.”

What Personal Information is Protected under CMIA?

CMIA defines “medical information” as any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.

“Individually identifiable information” may include the following:

  • Patient’s name
  • Address
  • Electronic mail address
  • Telephone number
  • Social Security number
  • Health Insurance information
  • Financial information
  • Treatment information
  • Prescriptions

What are the CMIA Authorization Requirements?

  • Authorization must be either handwritten by the individual who signs the document (the patient or their representative), or printed in a minimum of 14-point type
  • Authorization language must be clearly separated from any other language on the same page
  • Patient’s signature must “serve no other purpose than to execute the authorization”
  • Authorization form must be signed and dated
  • Authorization must include specific uses and limitations on the types of medical information to be disclosed
  • Authorization must include the name or functions of the health care provider, health care service plan pharmaceutical company, or contractor that is being allowed to disclose the information pursuant to the authorization, as well as the names or functions of those persons or entities authorized to receive the information

Can someone access my medical records without my permission?

No, and individual plaintiffs may bring an action against any person or entity that has negligently released confidential information or records, for the amount of actual damages.

Any healthcare provider who knowingly and willfully obtains, discloses, or uses medical information in violation of CMIA may be liable for an administrative fine of up to $2,500 per medical privacy act violation.


Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.


Joseph Lyon has 17 years of experience representing individuals in complex litigation matters. He has represented individuals in every state against many of the largest companies in the world.

The Firm focuses on single-event civil cases and class actions involving corporate neglect & fraud, toxic exposure, product defects & recalls, medical malpractice, and invasion of privacy.


The Firm offers contingency fees, advancing all costs of the litigation, and accepting the full financial risk, allowing our clients full access to the legal system while reducing the financial stress while they focus on their healthcare and financial needs.

photo of data breach attorney Joe Lyon
Compensation for Victims

Why are Data Privacy Cases important?

Without data privacy class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

Holding companies accountable for poor cybersecurity and data theft incidents helps ensure that consumers are better protected in the future. 


  • This field is for validation purposes and should be left unchanged.

Questions About CMIA Litigation

Is my personal health data protected?

Privacy laws are meant to protect patients’ personal health data, and when institutions fail to protect personal data they may be sued for damages. In recent years much health data has been leaked and stolen, causing significant damages to plaintiffs who have have taken legal action

In a recent case the American Medical Collection Agency (AMCA) settled with nearly 21 million people in 40 states and Washington D.C. concerning a data breach that may have exposed their personal information. The breach, which occurred in 2018, lasted nearly a year until official notice of the intrusion.

An unauthorized user gained access to the AMCA internal data system and collected the personal information, including Social Security numbers, financial information, and personal health information, such as medical tests and diagnostic codes.

Quest Diagnostics was alerted that the hack exposed the personal medical data of 11.9 million of its patients. LabCorp had 7.7 million patients exposed. A number of class action lawsuits were filed throughout the country, alleging negligence, breach of contract, and a variety privacy violations concerning data security.

What to do if you are a victim of a data breach
  1. Get confirmation of the data breach and collect as many details about the incident as possible. 
  2. Contact an attorney to investigate the complex litigation involved in security breach lawsuits. 
  3. Try to find out what information was exposed and protect yourself as much as possible. 
  4. Talk to an attorney before accepting any settlement direct from a company. 
  5. Monitor your accounts and personal information closely. 
How are CMIA Violations Discovered?

CMIA violations are often discovered during internal audits. Supervisors may also identify areas of non-compliance or see employees blatantly violate CMIAA Rules. The penalties for violations can be severe, with fines of up to $2,500 per violation. 

Can I file a CMIA Violation Lawsuit?

If your personal health data has been stolen or improperly leaked, you may have a data privacy claim against those responsible. Contact The Lyon Firm for a free and confidential case review.


What is a Class Action Lawsuit?

A Class Action is a lawsuit brought by an individual on behalf of all other similarly situated individuals. Rule 23 of the Federal and State Rules of Civil Procedure allows for Class Action lawsuits to resolve disputes in an efficient format.

Class Actions are typically filed when the amount of money in dispute for a single plaintiff would not justify litigating the case, but where the amount of damages of the entire class of Plaintiffs would justify the cost of litigation. Without class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

Your Right to Justice

Learn About the Legal Process

Filing Class Action lawsuits is a complex and serious legal course and can carry monetary sanctions if proper legal course is not followed. The Lyon Firm is dedicated to assisting injured plaintiffs work toward a financial solution to assist in compensating for medical expenses or other damages sustained.

We work with law firms across the country to provide the most resources possible and to build your case into a valuable settlement. The current legal environment is favorable for consumers involved in data breach class actions, deceptive marketing lawsuits, TCPA telemarketing claims, and financial negligence claims.