$46M CIPA Class Action: Kaiser Permanente settles for sharing personal health data from its websites and apps

In December 2025, healthcare provider Kaiser Permanente agreed to a settlement of up to $46 million to resolve class action allegations that it unlawfully shared patients' personal health information with third-party advertisers via website and mobile app tracking technologies.

• The healthcare provider allegedly installed tracking pixels on its patient portals that shared sensitive medical data with companies like Google, Bing, and X.
• Plaintiffs claimed this practice violated several US wiretapping laws such as CIPA (California Invasion of Privacy Act) and breached the organization’s privacy policies.
• The settlement covers approximately 13.4 million individuals who accessed Kaiser’s authenticated websites and mobile apps between 2017 and 2024.

Background to the case

In April 2024, Kaiser Permanente notified 13.4 million current and former members that certain patient data may have been transmitted to third-party vendors.

The company then conducted an internal investigation and subsequently admitted that tracking technologies installed on its websites and mobile applications had potentially disclosed information to companies including Microsoft, Google, and X.

Subsequent lawsuits were consolidated into a class action complaint filed in the US District Court for the Northern District of California.

The plaintiffs alleged that Kaiser’s use of these tools violated the federal Electronic Communications Privacy Act (ECPA), the California Invasion of Privacy Act (CIPA), and various state consumer protection laws.

Under the terms of the proposed settlement, Kaiser will pay up to $46 million to a settlement fund. Despite settling, the company denies any liability or wrongdoing.

Did Kaiser really share personal health data?

A core issue in the litigation was the allegation that Kaiser placed tracking code on "authenticated" webpages, i.e., secure areas where patients log in to view medical records, schedule appointments, or message doctors.

Among other issues, the complainants alleged that Kaiser embedded "session replay" code from Quantum Metric and advertising pixels from Google, Bing, and Adobe on these secure portals. The plaintiffs alleged that these tools intercepted their communications in real time.

The complaint details instances where the tracking code allegedly captured highly sensitive data. For example, when a user searched for "mental health" or accessed test results regarding a "shoulder x-ray" while logged into the patient portal, this information was reportedly transmitted to third-party advertising platforms.

How Kaiser allegedly violated CIPA and HIPAA

CIPA requires the consent of all parties to a communication before it can be recorded or intercepted. The complaint identifies four specific prohibited acts Kaiser allegedly committed:

• Unauthorized connection/tap. By embedding third-party code, Kaiser effectively allowed the Third Party Wiretappers to make unauthorized connections to the lines of internet communication between patients and the Kaiser website — analogous to wiretapping a phone line.
• Reading communications in transit without consent. The tracking technologies, particularly Quantum Metric's Session Replay, allegedly read and recorded the contents of patient communications while they were in transit, including keystrokes, clicks, form entries, and messages to providers — all without patients' knowledge.
• Use of intercepted information. The data gathered was allegedly used by the third parties for advertising targeting and profiling, which constitutes unauthorized use of intercepted communication content under the statute.
• Aiding and conspiring with third-party wiretappers. Perhaps the broadest allegation under CIPA — Kaiser is accused of actively aiding, employing, and conspiring with Quantum Metric, Adobe, Google, Bing, and Twitter to carry out the interception, even if Kaiser itself did not directly read the communications.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has previously issued guidance stating that tracking technologies on authenticated patient portals generally result in the disclosure of Protected Health Information (PHI).

The plaintiffs argued that Kaiser failed to obtain the necessary patient consent or sign Business Associate Agreements (BAAs) with these advertising vendors, making the data sharing unauthorized under HIPAA standards.

HIPAA does not provide a “private right of action” that would allow individuals to sue a business merely because it violated the law. However, these standards were used to support claims of negligence and breach of contract.

Steps to avoid similar legal challenges

The Kaiser settlement highlights the significant financial and reputational risks associated with unmanaged third-party scripts on healthcare websites.

• Audit authenticated environments: Ensure that marketing pixels and trackers are removed from patient portals and other secure zones unless strictly necessary and covered by a BAA.
• Implement continuous privacy auditing: Automated tools can detect unauthorized tracking scripts and "piggybacking" tags that may be inadvertently collecting sensitive data.
• Review vendor contracts: Verify that all third-party vendors receiving data from your digital properties are contractually limited in how they can use that information.

Prevent all website and app privacy violations by continuously scanning your websites and mobile apps with Web Auditor and App Auditor. Privado AI offers the most comprehensive solution to verify in real-time that your website, app, and CMP are compliant with all applicable privacy requirements for each location, including your privacy policies.