
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

In December 2025, healthcare provider Kaiser Permanente agreed pay $46 million to settle class action allegations that it unlawfully shared patients' personal health information with third-party advertisers via website and mobile app tracking technologies. The settlement may increase to $47.5 million under certain conditions.
In April 2024, Kaiser Permanente notified 13.4 million current and former members that certain patient data may have been transmitted to third-party vendors.
The company then conducted an internal investigation and subsequently admitted that tracking technologies installed on its websites and mobile applications had potentially disclosed information to companies including Microsoft, Google, and X.
Subsequent lawsuits were consolidated into a class action complaint filed in the US District Court for the Northern District of California.
The plaintiffs alleged that Kaiser’s use of these tools violated the federal Electronic Communications Privacy Act (ECPA), the California Invasion of Privacy Act (CIPA), and various state consumer protection laws.
Under the terms of the proposed settlement, Kaiser will pay $46-$47.5 million to a settlement fund. Despite settling, the company denies any liability or wrongdoing.
A core issue in the litigation was the allegation that Kaiser placed tracking code on "authenticated" webpages, i.e., secure areas where patients log in to view medical records, schedule appointments, or message doctors.
Among other issues, the complainants alleged that Kaiser embedded "session replay" code from Quantum Metric and advertising pixels from Google, Bing, and Adobe on these secure portals. The plaintiffs alleged that these tools intercepted their communications in real time.
The complaint details instances where the tracking code allegedly captured highly sensitive data. For example, when a user searched for "mental health" or accessed test results regarding a "shoulder x-ray" while logged into the patient portal, this information was reportedly transmitted to third-party advertising platforms.
CIPA requires the consent of all parties to a communication before it can be recorded or intercepted. The complaint identifies four specific prohibited acts Kaiser allegedly committed:
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has previously issued guidance stating that tracking technologies on authenticated patient portals generally result in the disclosure of Protected Health Information (PHI).
The plaintiffs argued that Kaiser failed to obtain the necessary patient consent or sign Business Associate Agreements (BAAs) with these advertising vendors, making the data sharing unauthorized under HIPAA standards.
HIPAA does not provide a “private right of action” that would allow individuals to sue a business merely because it violated the law. However, these standards were used to support claims of negligence and breach of contract.
The Kaiser settlement highlights the significant financial and reputational risks associated with unmanaged third-party scripts on healthcare websites.
Prevent all website and app privacy violations by continuously scanning your websites and mobile apps with Web Auditor and App Auditor. Privado AI offers the most comprehensive solution to verify in real-time that your website, app, and CMP are compliant with all applicable privacy requirements for each location, including your privacy policies.