The Non-Financial Ledger: What Was Actually Taken

Imagine you are the parent of a child with a medical diagnosis, a learning disability, a mental health condition, something private and hard-won to even understand. You told the school about it because the school needed to know. That information was supposed to help your kid get the right support in a classroom. You did not consent to it being stored on a corporate server. You did not sign up for an Illuminate account. You were never asked. The district handed your child’s most sensitive records to a private company without your knowledge that a company called Illuminate Education even had them.

Then, sometime between December 28, 2021, and January 8, 2022, hackers got in. Illuminate discovered suspicious activity on January 8. By March 24, they had confirmed that the databases had been accessed without authorization. At that point, families had a right to know. They could have changed email addresses, put fraud alerts on accounts, prepared for the worst. They were not told. Illuminate waited. The letter arrived on June 10, 2022, five months after the breach window closed.

The breach databases, according to Illuminate’s own notice letter, may have contained children’s names, academic and behavior records, enrollment data, accommodation records, special education classifications, medical information, and demographic details. That is nearly a complete portrait of a child. The notice to families was careful to note “no evidence that any information was subject to actual or attempted misuse.” That is the company’s judgment about whether your child’s medical records were exploited. You were not given the information in time to form your own judgment.

J.M., the minor plaintiff in this case, reported receiving numerous unsolicited letters from third parties at an address he had only ever given to Illuminate through the school district. He also reported receiving unusual phone calls from solicitors connected to phantom Amazon accounts. He cannot prove to a legal certainty that his data was viewed by the hackers. That is the trap. The people who know what happened to the data are the company that lost it and the hackers who took it. The child who trusted the school system is left holding the uncertainty.

Legal Receipts: What the Court Record Actually Says

The California Supreme Court’s opinion, authored by Justice Liu and joined by all six other justices, contains direct statements on the timeline, the data involved, and the legal standards at stake.

“On March 24, 2022, the investigation ‘confirmed that certain databases containing potentially protected student information were subject to unauthorized access between December 28, 2021, and January 8, 2022.’ About 12 days later, Illuminate ‘began the process of notifying [the] Ventura County Office of Education’ of the breach.”

“Those databases ‘may have contained the following: your minor’s name, academic and behavior information, enrollment information, accommodation information, special education information, medical information, and/or student demographic information.’ The notice further said there was ‘no evidence that any information was subject to actual or attempted misuse.’ ”

“Following the breach, J.M. alleges he ‘has received numerous solicitations by mail from third parties at an address he only provided to [Illuminate] through the Office of Education.’ ”

“The Legislature’s inclusion of a ‘nominal’ remedy for persons who were not actually damaged or even threatened with actual damages signals that liability under the statute focuses on the allegedly negligent conduct of the covered entity, not on the resulting harm to the plaintiff.”

Public Deception: What Families Were Told vs. What Was True

Illuminate’s communications to affected families contained notable gaps between what was disclosed and what the legal record establishes was the actual situation.

• Claimed: The June 10, 2022, notice to families said there was “no evidence that any information was subject to actual or attempted misuse.” Reality: The plaintiff alleged that following the breach, he began receiving unsolicited mail from third parties at an address he had only provided through Illuminate, suggesting data had already reached outside parties. The company’s “no evidence” claim is based on its own investigation, not an independent audit.
• Claimed: The notice framed the situation as a routine disclosure following investigation. Reality: Illuminate confirmed the breach on March 24, 2022, and families were not notified until June 10, 2022. The Court of Appeal found a “five-month disclosure delay” relevant to whether victims were prevented from taking protective action. The family’s letter arrived after the window for early protective action had already closed.
• Claimed: Illuminate’s services are educational in nature, not medical. Reality: The company collected and stored students’ “medical history, mental or physical condition, or treatment” information, “diagnosis and treatment plans of children,” and provided dyslexia screening data tied to medical and developmental conditions. The California Supreme Court spent considerable analysis on exactly how medical the company’s data holdings were.

Regulatory Gray Zones: How an EdTech Company Stored Medical Records and Answered to No One

The most damaging finding in this case is structural: Illuminate Education occupied a regulatory gap that allowed it to hold some of the most sensitive information about children in the country without being accountable under California’s primary medical privacy law.

• California’s Confidentiality of Medical Information Act defines “provider of health care” to cover businesses that maintain medical information “in order to make the information available to an individual or to a provider of health care… for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual.” Illuminate’s system made that information available to educators for educational planning, a purpose just outside the statute’s language, even though the underlying data was medically identical.
• The CMIA was extended in 1993 to cover medical information corporations, in 2007 to cover personal health record companies like WebMD, and in 2013 to cover mobile health apps. At no point did the Legislature extend it to cover edtech companies that collect and store student medical records as part of school district contracts. Illuminate operated in the space between those covered categories.
• The California Supreme Court explicitly noted that “the CMIA was designed to adapt to technological changes in the way medical information is stored and used, its scope has limits.” The Legislature simply had not written a law that covered a company doing exactly what Illuminate was doing.
• Under the Customer Records Act, only a company’s “customer” can sue for breach notification violations. The CRA defines a customer as someone who provides personal information “for the purpose of purchasing or leasing a product or obtaining a service from the business.” J.M. did not contract with Illuminate. His school district did. Illuminate legally argued, and the Supreme Court agreed, that J.M. was not its customer under that statutory definition, even though he was the person whose data was stored and breached.
• The effect of this gap: a private company can enter contracts with school districts to collect and store children’s medical records, suffer a months-long data breach, delay notification, and face no civil liability to the children themselves under two of California’s primary data privacy statutes, so long as it classifies itself as an educational vendor rather than a health care provider.

Societal Impact Mapping

Public Health and Privacy

The harms documented in and directly supported by this case extend beyond J.M. and reach every family whose child’s information was in Illuminate’s databases.

• The breach databases potentially contained students’ mental health diagnoses, treatment plans, and medical histories. This category of data is among the most sensitive a person can hold. Unauthorized access to it can affect insurance, employment, and the social standing of children before they are old enough to protect themselves.
• Special education records and accommodation information, also listed in the breach disclosure, are protected under federal law precisely because of the stigma and discrimination their exposure can trigger. These records were swept into the same breached databases as general enrollment data.
• J.M. alleged receiving unsolicited third-party mail and phone solicitation calls following the breach, including calls related to phantom Amazon accounts. If this reflects data that reached commercial actors, it means children’s medical and demographic information may have entered commercial data pipelines.
• The California Supreme Court acknowledged that data breaches in the modern environment can be “facilitated by artificial intelligence or automated cybercrime, without anyone actually viewing the information,” meaning harm can occur and propagate without a human ever reading a specific child’s file. The law had not kept pace with this reality.
• Parents were left in an information void for five months. During that window, they could not alert their child’s pediatrician, could not place fraud alerts, could not monitor for misuse. Every protective step a family might take after a data breach was delayed by five months, a period of exposure that families cannot recover.

Economic Inequality

This case exposes a structural inequality in who bears the risk when corporations hold sensitive data and who benefits from the legal structures that limit accountability.

• Illuminate sold its services to school districts, not to families. School districts negotiated the data-sharing arrangements. Parents and students had no seat at the table and no contractual relationship with the company that stored their most sensitive information. This is a direct consequence of edtech business models that treat public schools as sales channels and students as data sources.
• Families wealthy enough to place their children in private schools or districts that did not use Illuminate were not exposed to this breach. The students whose medical records were at risk were in public school districts across California, disproportionately lower-income communities that depend on subsidized technology to meet students’ educational needs.
• The cost of litigation was borne entirely by J.M. and his guardian, represented by attorneys at Potter Handy LLP. Illuminate was defended by Kirkland and Ellis, one of the most expensive law firms in the country. The family of a minor child challenged a corporate data giant through three separate courts, including the California Supreme Court, and still lost on statutory grounds.
• J.M. and the class of students like him were left with no civil remedy under the two statutes they pursued, not because the harm was not real, but because the Legislature had not updated the law to cover a company like Illuminate. Wealthy corporations can hire lobbyists to monitor and shape those legislative gaps. Families cannot.

No Accountability Came: What the Dismissal Means

This case did not end in a settlement. It ended in a dismissal, which is a harder outcome for affected families. A settlement at least produces some acknowledgment and often some compensation. A dismissal produces neither.

• The California Supreme Court reversed the Court of Appeal’s ruling in Illuminate’s favor. The case was remanded to lower courts to determine whether J.M. could amend his complaint in light of the new legal standards, but Justice Groban’s concurrence explicitly argued he probably cannot, because he cannot allege facts that would satisfy the statutory definitions for Illuminate to be a covered entity.
• No finding of wrongdoing was made against Illuminate by the Supreme Court. The court analyzed statutory coverage questions, not the ethics of what Illuminate did. The company’s five-month notification delay, its collection of children’s medical data, and the breach itself were not adjudicated on their merits.
• The class of California students who received breach notices, like J.M., were defined in the original complaint as people placed at “an imminent, immediate, and continuing increased risk of harm from fraud and identity theft.” That class received no remedy from these proceedings.
• The California Attorney General filed an amicus brief in support of J.M., arguing for a broader interpretation of the CMIA that would have allowed the case to proceed. That position lost. The Attorney General’s office is the most powerful consumer protection actor in California and could not extend the law to cover this situation through litigation alone.

This Is the System Working as Intended

The outcome in this case was not a legal mistake or a judicial failure. It was the predictable result of a legal architecture built to protect business categories, not data subjects.

• The California Legislature extended medical privacy protections to personal health record companies and mobile health apps but never extended them to edtech vendors operating through school district contracts. That is a legislative choice, one that Illuminate’s business model benefited from directly.
• The CRA’s “customer” definition ties civil standing to a commercial transaction. Students in public schools do not transact with the edtech vendors their districts hire. The law was written for a retail economy. It was never updated for a school procurement economy where students are the data source but not the buyer.
• Three courts, the trial court, the Court of Appeal, and the California Supreme Court, all acknowledged in different ways that the breach was real, the notification delay was significant, and the data was sensitive. None of them could provide a remedy because the Legislature had not written one that applied.
• Illuminate was represented by Kirkland and Ellis, a firm routinely retained by corporations facing regulatory and class action risk. The legal infrastructure available to corporate defendants in cases like this, the procedural tools, the appellate strategy, the demurrer practice, is specifically designed to resolve cases on technicalities before they reach merits review. It worked exactly as designed here.
• The California Supreme Court’s new “significant risk of unauthorized access” standard is a genuine improvement over the old “actually viewed” rule, and it will help future plaintiffs in cases where the covered-entity threshold is met. But it did nothing for J.M. because the threshold itself blocked the claim. Reforming the standard of injury without reforming who can be sued produces a more sophisticated legal framework that still leaves the same children without a remedy.

What a Legitimate Fix Looks Like

The core structural failure this case exposes: California’s medical privacy law was never updated to cover companies that hold student medical records under school district contracts, leaving an entire category of data subjects without civil standing.

Regulatory Track

• The California Department of Education and the California Attorney General’s office should issue joint guidance clarifying that edtech vendors receiving student medical records from school districts are subject to the same data security and breach notification standards that apply to health care providers, regardless of how those vendors classify their primary business purpose.
• The Office of Civil Rights at the federal Department of Education should examine whether FERPA, the federal student records protection law, was triggered by this breach and whether Illuminate’s notification timeline was compliant. FERPA does not have a private right of action, but federal enforcement can impose penalties and require corrective action that state courts cannot.
• School district procurement processes should require edtech vendors collecting medical or quasi-medical student data to demonstrate compliance with both FERPA and HIPAA standards, regardless of the vendor’s self-classification. The Ventura County Office of Education entered a contract with Illuminate without requiring these protections for students’ medical data.

Legislative Track

• The California Legislature should amend the CMIA, specifically Civil Code sections 56.05 and 56.06, to add a new category: companies that collect and store student medical information under contracts with school districts or county education offices. This category should carry the same confidentiality duties and breach notification requirements as traditional health care providers.
• The California Legislature should amend the Customer Records Act to extend civil standing to any individual whose personal data was held by a breached company, regardless of whether that individual directly transacted with the company. The current “customer” definition excludes the people most likely to be harmed when data is collected through institutional intermediaries like school districts.
• California should consider a Student Data Privacy Act modeled on existing state legislation in Colorado, New York, and Delaware that specifically governs edtech vendor collection, storage, and breach notification obligations for student data, including medical and quasi-medical records. This would close the gap the CMIA currently leaves open.

Corporate Governance Track

• Illuminate Education, and companies like it, should be required to appoint an independent privacy officer with direct board accountability. The breach in this case ran for 11 days before being detected and was confirmed internally weeks before any party external to the company was told. A compliance structure with board-level oversight would have created pressure toward faster disclosure.
• School district contracts with edtech vendors should mandate a maximum 72-hour notification window from breach confirmation to notification of affected families, aligned with California’s general data breach notification standards. The five-month delay documented in this case would be structurally impossible under such a requirement.
• Edtech vendors collecting student medical data should be required to carry dedicated cyber liability insurance with provisions covering notification costs, credit monitoring, and documented harm remediation for affected students. This creates a financial incentive to invest in security and a fund for remediation when security fails.

What Now?

The companies and institutions with power to change this outcome are identifiable. Here is where to direct attention.

Regulatory Watchlist

• California Attorney General’s Office: The AG filed an amicus brief in support of J.M. in this case. That office has authority to pursue enforcement actions against data holders under multiple California statutes and can push for legislative change. Public pressure to prioritize edtech data privacy enforcement is warranted.
• California Legislature, Privacy Committee: The Legislature failed to extend CMIA coverage to edtech vendors despite multiple rounds of amendments from 1993 to 2013. Constituent pressure on state senators and assembly members to amend Civil Code sections 56.05 and 56.06 is the most direct path to closing the gap this case exposed.
• U.S. Department of Education, Office of Civil Rights: Federal oversight of FERPA compliance by school districts and their vendors is an underused enforcement lever. Filing complaints with OCR when districts share student medical data with vendors lacking adequate security is a documented pathway to federal review.
• Local School Boards and County Education Offices: The Ventura County Office of Education contracted with Illuminate. That decision, and the data-sharing arrangements embedded in that contract, were made by elected and appointed officials accountable to families. Public records requests and board meeting participation are available tools for demanding contract transparency.
• California Privacy Protection Agency (CPPA): Created by the CPRA in 2020, the CPPA has rulemaking and enforcement authority over the California Consumer Privacy Act. It can investigate data broker practices and push for regulations that extend protections to student data held by edtech vendors.

Grassroots and Mutual Aid

• If your child’s school district uses Illuminate Education or similar edtech platforms that collect behavioral, medical, or special education data, you have the right under FERPA to request a copy of your child’s education record and to know which vendors have access to it. File a written request with your district’s records office.
• Parent-teacher associations and school board advocacy groups can pass resolutions demanding that districts publish lists of all third-party vendors with access to student data, what data categories they receive, and what security certifications they hold. This information is public in principle and invisible in practice.
• Connect with student data privacy advocacy organizations, including the Electronic Frontier Foundation’s student privacy project and the Parent Coalition for Student Privacy, who track edtech vendor practices and provide template public records requests and model school board resolutions.
• If you received a breach notification from Illuminate or a similar edtech company, consult with a consumer privacy attorney in California about whether the amended CMIA standard, or the CCPA, provides a pathway that was not available to J.M. under the pre-amendment legal framework. The law changed with this ruling.