A lawsuit has been filed against Alphabet-owned Verily by a former employee who alleges that the personally identifiable health information of more than 25,000 patients was misused, and the company failed to report the HIPAA breaches, as required by the Health Insurance Portability and Accountability Act (HIPAA).

Verily, formerly Google Life Sciences, is a research organization owned by Google’s parent company, Alphabet. The Verily platform drives AI-powered precision health solutions that help pharmaceutical firms bring new therapies to market sooner and health systems and payers improve patient outcomes at a lower cost. The lawsuit alleges that an internal investigation confirmed HIPAA breaches involving HIPAA-protected data obtained from 14 HIPAA-regulated entities. The lawsuit claims patient data was used without authorization, in violation of the HIPAA Privacy Rule. Further, while the investigation uncovered misuses of patient data, Verily failed to disclose the breach, delaying notifications while contract renewals were negotiated with the affected covered entities, in violation of the HIPAA Breach Notification Rule.

The lawsuit was filed last year; however, it failed to be reported by the media until it was spotted by CNBC, which reported on the lawsuit last week. The lawsuit was filed by Ryan Sloan, a former chief commercial officer at Verily Onduo, Verily’s diabetes and hypertension business. The lawsuit is currently pending in the United States District Court for the Northern District of California in San Francisco, having survived a motion to dismiss or resolve the lawsuit through arbitration.

Sloan was hired by Verily in 2020 and was employed until he was terminated in January 2023. Sloan claims that he and Julia Feldman, general counsel at Onduo, discovered the HIPAA violations in January 2022 and reported them to senior management. Sloan claims that patient data was used for research, marketing campaigns, press releases, and national conferences, which are not uses permitted by the HIPAA Privacy Rule unless consent is obtained from patients.

Sloan claims that he and Feldman repeatedly raised the matter with senior management, and an internal investigation confirmed that there had been several HIPAA breaches of business associate agreements between Verily and HIPAA-covered entities, including Quest Diagnostics, Highmark Health, Walgreens Boots Alliance, and others. Despite the discovery of HIPAA breaches, Sloan alleges no notifications were issued.

He claims that during a contact negotiation between Verily and Highmark Health in August 2022, Verily misrepresented that it was fully compliant with the HIPAA Rules at all times, when the company knew that HIPAA violations had occurred, including with Highmark Health data. The lawsuit claims that Feldman was terminated later that month, along with another individual who was aware of the HIPAA breaches. Sloan was terminated in January 2023, which he claims was in response to repeatedly raising concerns about the HIPAA violations and the alleged cover-up of the HIPAA breaches.

There is no private cause of action under HIPAA, so individuals are not permitted to sue for HIPAA violations. Only the HHS’ Office for Civil Rights (OCR) and state attorneys general have the authority to take legal action for HIPAA violations. The lawsuit, Sloan v. Verily Life Sciences LLC, claims that Verily retaliated against Sloan after he raised the HIPAA violations in good faith, in breach of his employment contract. Verily denies the allegations.

“Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law,” said a Verily spokesperson in a statement to CNBC. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously.  As this is an ongoing legal matter, Verily will not be providing further comment at this time.”

The post Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches appeared first on The HIPAA Journal.

A $675,000 settlement has been agreed upon to resolve a class action data breach lawsuit against R1 RCM Inc., a revenue cycle management company,  and Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus in Henderson, Nevada.

The lawsuit stems from a data breach at R1 RCM, which was detected on November 23, 2023. R1 RCM determined that the hacker had exfiltrated sensitive data such as names, contact information, dates of birth, Social Security numbers, service locations, diagnosis information, patient account numbers, and medical record numbers.  The data breach was reported to the HHS’ Office for Civil Rights as affecting 16,121 individuals.

The lawsuit – Heather Hillbom v. R1 RCM, Inc. and Dignity Health dba Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus – was filed in the U.S. District Court for the District of Nevada on April 5, 2024, and alleged that the defendants were negligent by failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. The defendants maintain there was no wrongdoing and that there is no liability; however, the decision was made to settle the lawsuit to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, class members are entitled to claim two years of three-bureau credit monitoring services and identity theft protection services through CyEx Medical Shield Total.  In addition, all class members may claim a monetary payment, which will be calculated after attorneys’ fees, credit monitoring costs, legal expenses, settlement administration costs, service awards, and claims for out-of-pocket expenses have been deducted from the settlement fund. Claims may also be submitted for reimbursement of documented, unreimbursed, out-of-pocket losses. Up to $500 may be claimed as reimbursement for ordinary out-of-pocket expenses, and up to $2,500 for extraordinary out-of-pocket expenses, such as losses to fraud and identity theft.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 14, 2025. The deadline for objecting to and exclusion from the settlement is October 13, 2025, and all claims must be received by November 11, 2025.

The post R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Adena Health System, a nonprofit health system serving patients in south central and southern Ohio, has agreed to pay $17.8 million to resolve claims that it unlawfully disclosed patient data to third parties via tracking pixels on its MyChart patient portal.

Adena Health is one of many health systems to use tools such as Meta Pixel and Google Analytics code to track users on its website; however, these tools were also implemented on its patient portal, which requires users to log in. Whilst on the website and patient portal, users’ data was collected, which may have included personally identifiable information (PII) and protected health information (PHI). That information was automatically sent to companies such as Meta and Google.

A lawsuit was filed over the disclosures, which were alleged to have occurred without the knowledge or consent of the data subjects. Users of the patient portal could book appointments, research medical conditions, learn about treatment options, and communicate with their providers. The lawsuit alleged that health conditions, preferred treatment options, physicians’ details, and search queries were all collected by the tracking tools and were transmitted to third parties. If a user was logged into their Facebook account at the time, the lawsuit claims the unique Facebook identifier was also transmitted, allowing them to be personally identified. The lawsuit claims the tools were knowingly added to the website and that Adena Health unjustly profited from the disclosures.

The lawsuit alleged negligence, breach of confidence, breach of fiduciary duty, unjust enrichment, invasion of privacy, and a violation of the Electronic Communications Privacy Act, and claimed that there is civil liability for criminal actions – the knowing disclosure of individually identifiable health information to a third party. Adena Health denies wrongdoing and liability and disagrees with the claims and contentions in the lawsuit; however, it agreed to a settlement to bring the litigation to an end to avoid the risks and uncertainties of trial and further litigation costs.

Under the terms of the settlement, the 89,000 class members who visited the patient portal between November 1, 2022, and June 3, 2024, are entitled to claim a cash payment of $21 and a year of credit monitoring and identity theft protection services, valued at $179 per person. The settlement now awaits approval from the court.

The post Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit appeared first on The HIPAA Journal.

The Trump administration has agreed to settle a lawsuit filed by the Washington State Medical Association (WSMA) and eight other plaintiffs that sought to stop and reverse the deletion of important public health and science data from federal websites. Under the terms of the settlement, the Department of Health and Human Services is required to restore more than 100 datasets and webpages that were deleted since January 2025.

On January 20, 2025, President Trump signed several executive orders, two of which concerned gender identity and diversity, equity, and inclusion (DEI) – Executive Order 14168: Ending Radical and Wasteful Government DEI Programs and Preferencing & Executive Order 14151: Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government. Over the course of several months, the Trump administration directed federal agencies such as the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Food and Drug Administration (FDA) to delete public health information that had previously been published on those agencies’ websites.

The deleted content included public health information relating to LGBTQ health, gender and reproductive health, vaccine guidance, Mpox treatment, pregnancy risk, opioid use disorder, HIV/AIDS research, and the NIH HIV Risk reduction tool, data from clinical trials, and more.

A lawsuit was filed in federal court to stop the deletion of data from taxpayer-funded websites, restore the deleted content, and establish legal protection to prevent future efforts to suppress public health information. The lawsuit was filed by the WSMA, Washington State Nurses Association, Washington Chapter of the American Academy of Pediatrics, AcademyHealth, Association of Nurses in AIDS Care, Fast-Track Cities Institute, International Association of Providers of AIDS Care, National LGBT Cancer Network, and Vermont Medical Society.

The defendants were Robert F. Kennedy Jr., Department of Health and Human Services (HHS), Matthew Buzzelli, CDC, Jay Bhattacharya, NIH, Martin A. Makary, FDC, Thomas J. Engels, Health Resources and Services Administration, Charles Ezell, and the Office of Personnel Management.

The lawsuit – Washington State Medical Association et al. v. Kennedy et al.– alleged that the deleted data was critical to public health research and combatting morbidity and mortality, and the removal of health-related data in response to the executive orders violated the Administrative Procedure Act, the separation of powers principle, the Paperwork Reduction Act, the Public Health Service Act, and the Prematurity Research Expansion and Education for Mothers Who Deliver Infants Early Act.

“The unannounced and unprecedented deletion of these federal webpages and datasets came as a shock to the medical and scientific communities, which had come to rely on them to monitor and respond to disease outbreaks, assist physicians and other clinicians in daily care, and inform the public about a wide range of healthcare issues,” wrote the plaintiffs in the lawsuit. “Health professionals, nonprofit organizations, and state and local authorities used the websites and datasets daily to care for their patients, provide resources to their communities, and promote public health.”

The lawsuit alleged that thousands of databases have been deleted, depriving the medical community and the public of accessing critical resources. The defendants have restored some of the deleted datasets and webpages, in some instances in response to court orders, but the restoration has been inconsistent and scattershot. The plaintiffs claimed that the defendants made “arbitrary, capricious and unreasoned” decisions to delete critical resources that, under American law, are required to be made available to the American people.

“Access to trustworthy information allows us to solve real problems, improve health outcomes, and plan for the future. If we don’t stand up for data now, we risk losing the tools we rely on to make progress, regardless of politics,” said Dr. Aaron Carroll, president and CEO of AcademyHealth.

On September 2, 2025, the WSMA announced that it was thrilled that a settlement had been reached, which requires the HHS to restore webpages and data that were wrongfully deleted, and make them available again to physicians, scientists, medical professionals, and the American public.” Under the terms of the settlement, the HHS is required to restore the deleted websites, webpages, and datasets that were taken down this year and have not already been restored, as detailed in Appendix A of the complaint.

“I am extremely proud of the health care community in Washington state and our partners in this case for pushing back on this egregious example of government overreach,” said John Bramhall, MD, PhD, president of the WSMA. “This was not a partisan issue – open data benefits everyone, and ensuring its availability should be a bipartisan priority.”

The post HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites appeared first on The HIPAA Journal.

Weirton Medical Center in West Virginia has agreed to a settlement to resolve class action litigation over a January 2024 ransomware attack that involved the exfiltration of sensitive data from its network. Hackers had access to its computer network between January 14 and January 18, 2024, and used ransomware to encrypt files. Data stolen in the attack included names, dates of birth, Social Security numbers, health insurance information, and treatment information. The affected individuals were notified on March 18, 2024, and the data breach was reported to the HHS Office for Civil Rights as affecting 26,793 individuals.

Four class action lawsuits were filed in response to the data breach in the U.S. District Court for the Northern District of West Virginia, naming Trish Yano, Matthew Foltz, Leslie Telek, and Judy Mullins as plaintiffs. The lawsuits were consolidated into a single lawsuit – In re Weirton Medical Center Data Breach Litigation – on June 21, 2024. The lawsuit asserted claims of negligence and negligence per se for failing to protect sensitive data on its network from unauthorized access, as well as unjust enrichment, breach of implied contract, breach of confidence, and breach of fiduciary duty.

The lawsuit survived a motion to dismiss, and all parties filed a joint motion to stay proceedings pending mediation. Weirton Medical Center disagreed with all claims and contentions in the lawsuit; however, after a full day of mediation, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and resolves the litigation in its entirety, with no admission of liability or wrongdoing.

All class members are entitled to claim one of two cash payments and credit monitoring services. A claim may be submitted for reimbursement of actual documented, unreimbursed losses that were more likely than not caused by the data breach up to a maximum of $5,000 per class member.  Alternatively, class members may claim a cash payment of $50.00, without providing any documentation to prove losses.

All class members can claim one year of three-bureau credit monitoring services, which include identity theft protection and recovery services, and a $1,000,000 identity theft insurance policy. The deadline for exclusion from and objection to the settlement is October 6, 2025. Claims must be submitted by November 5, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 3, 2025.

The post Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit appeared first on The HIPAA Journal.

CVS Health is facing a probe into potential HIPAA violations related to the alleged use of patient data for lobbying purposes to prevent the passing of a Louisiana state bill that could affect its business interests. The bill in question, House Bill 358 (HB 358), proposes several amendments to current pharmacy laws in Louisiana. One of the proposed amendments is prohibiting providers in the state from operating as both pharmacy benefit managers (PBMs) and individual pharmacies.

A pharmacy benefit manager is an intermediary between drug companies and pharmacies that negotiates prices with the drug companies on behalf of employers and health plans. They often also manage pharmacy networks and operate mail-order pharmacies. PMBs are facing increased scrutiny over their business practices. The Federal Trade Commission (FTC) alleged that major PBMs have inflated drug prices to increase company profits, negotiating lower prices from drug companies, then marking up the drug prices at their pharmacies. According to an FTC report earlier this year, between 2017 and 2022, UnitedHealth Group’s Optum, CVS Health’s CVS Caremark, and Cigna’s Express Scripts increased the prices of medications for heart disease, cancer, and HIV at their affiliated pharmacies, boosting revenues by $7.3 billion in excess of the acquisition costs of the medications.

Several states have passed laws to rein in PMBs and limit their influence on drug pricing, and reducing the costs of medications is a key priority for the Trump administration. CVS Health and Cigna have filed lawsuits attempting to overturn a law implemented in Arkansas to this effect, and CVS Health is alleged to have engaged in lobbying to prevent HB 358 from being passed in Louisiana. If the bill is signed into law, it would have serious implications for CVS Health, which operates as the PBM CVS Caremark, as well as 119 CVS pharmacies in the state of Louisiana.

Louisiana Attorney General Liz Murrill launched an investigation of CVS Health earlier this year after receiving reports alleging CVS Health had sent large numbers of text messages to state employees and their families to lobby against the proposed legislation. One of the texts informed the recipients that if the bill is signed into law, their CVS Pharmacy could close, medication costs could rise, and their pharmacist could lose their job.

The texts included a link to a draft letter to lawmakers calling for them to reject the legislation. “The proposed legislation would take away my and other Louisiana patients’ ability to get our medications shipped right to our homes,” the letter read. “They would also ban the pharmacies that serve patients suffering from complex diseases requiring specialty pharmacy care to manage their life-threatening conditions, like organ transplants or cancer. These vulnerable patients cannot afford any disruption to their care – the consequences would be dire.” CVS Health has been accused of lying and using scare tactics to oppose the bill, which CVS Health denies.

In late June, AG Murrill filed three lawsuits against CVS Health alleging unfair, deceptive, and unlawful practices, which have harmed Louisiana patients, independent pharmacies, and the public at large. According to CVS Health spokesperson Any Thibault, the bill was proposed with no public hearing. “We believe we had a responsibility to inform our customers of misguided legislation that sought to shutter their trusted pharmacy, and we acted accordingly,” Thibault said. “Our communication with our customers, patients and members of our community was consistent with law.”

Now, a probe has been launched by two Republican lawmakers in response to the allegations that patient data was used for lobbying purposes, potentially in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. House Committee on Oversight and Government Reform Chairman James Comer (R-KY) and Subcommittee on Federal Law Enforcement Chairman Clay Higgins (R-LA) wrote to CVS Health President and CEO David Joyner, demanding answers about how patient data has been used.

“This text message campaign raises ethical and potential legal issues if indeed CVS Pharmacy used confidential patient information, obtained through a state contract, to lobby against H.B. 358,” wrote the lawmakers. “The inflammatory and misleading text messages—which included threats of pharmacy location closures, increased prescription costs, and loss of service providers—sought to encourage CVS Pharmacy customers to contact Louisiana lawmakers to oppose the bill. This is concerning because CVS Pharmacy must comply with the Health Insurance Portability and Accountability Act (HIPAA) to access confidential patient information.”

The lawmakers explained in the letter that the HIPAA Privacy Rule does not expressly permit the use of patient data for political advocacy or lobbying, and that patient authorization would be required for such uses, pointing out that it appears that the mass texting capabilities used by CVS Health pharmacies for notifying patients about prescription updates and other individualized patient information has been used in a matter that may have violated HIPAA.

The lawmakers have requested documentation and copies of communications related to the use of patient and customer personal health information for the purposes of political advocacy or lobbying in Louisiana and all other states from January 1, 2020, to the present. They require a response by September 18, 2025.

The post CVS Health Faces HIPAA Probe Over Alleged Use of Patient Data for Lobbying and Political Advocacy appeared first on The HIPAA Journal.

Morris Hospital & Healthcare Centers has agreed to settle a consolidated class action lawsuit that alleged negligence for failing to prevent an April 2023 data breach that affected 248,943 individuals. Under the terms of the settlement agreement, Morris Hospital will establish a $1,361,571.77 settlement fund to cover attorneys’ fees, legal expenses, and benefits for the class members.

In April 2023, Morris Hospital identified unauthorized access to its network. Hackers had access to the personal and protected health information of current and former patients, employees, and their dependents and beneficiaries.  The Royal ransomware group was behind the attack and posted the stolen data on its data leak site. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit in the Circuit Court of the Thirteenth Judicial Circuit, Grundy County, Illinois – In re: Morris Hospital Data Breach Litigation. In addition to negligence, the lawsuit asserted claims of negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.

Morris Hospital denies all allegations of wrongdoing and liability, while the plaintiffs believe the claims have merit. All parties agreed to a settlement, which was viewed as being in the best interests of all parties considering the risks and costs of continuing with the litigation. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 24, 2025. Benefits for class members will be paid after all costs and expenses have been deducted from the settlement fund, which includes up to $453,857.26 for attorneys’ fees, $2,000 service awards for each of the 13 named plaintiffs, and yet to be determined settlement administration costs, and attorneys’ expenses.

All class members may submit a claim for 24 months of comprehensive credit monitoring and identity theft protection services through CyEx Medical Shield Total. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member. If a claim for losses is not submitted, class members may instead claim a pro rata cash payment, which is expected to be approximately $100, depending on the number of claims received. Further information can be found on the settlement website: https://www.morrishospitalsettlement.com/

Individuals wishing to object to or be excluded from the settlement have until September 29, 2025, to do so, and all claims must be submitted by October 28, 2025.

The post Morris Hospital Agrees to $1.36M Class Action Data Breach Settlement appeared first on The HIPAA Journal.

Another healthcare provider has agreed to settle a class action lawsuit over its use of Meta Pixel and other third-party analytics and tracking tools on its website. Children’s Hospital Medical Center of Akron, doing business as Akron Children’s Hospital, was alleged to have added these tools to its website, but their use and implementation resulted in website visitors’ personally identifiable information being disclosed to Facebook and other third parties without the web visitors’ knowledge or consent.

On January 5, 2024, plaintiff John Doe filed a lawsuit – Doe v. Children’s Hospital Medical Center of Akron – against Akron Children’s Hospital in the Court of Common Pleas, Summit County, Ohio, individually, and as next friend of minors A.D., B.D., and C.D., and other similarly situated individuals. The plaintiff alleged that his own PII and that of his minor children and other individuals was disclosed to third parties such as Meta (Facebook), Google, and others without their knowledge or consent, resulting in an invasion of privacy.

In addition to invasion of privacy – intrusion upon seclusion, the lawsuit asserted claims of negligence, negligence per se, breach of confidence, unjust enrichment, and interception and disclosure of electronic communications. Akron Children’s Hospital denies all claims asserted in the lawsuit and all allegations of wrongdoing and liability; however, it attempted mediation to avoid further litigation costs and the uncertainty of a jury trial. While initial mediation efforts failed, after several months of negotiation, a settlement was agreed that was acceptable to all parties. The settlement agreement has now received preliminary approval from Judge Alison McCarty.

The settlement agreement addresses the harm caused by the alleged data disclosure, the potential for future harm, and economic losses incurred by the plaintiffs and the 313,700 class members. All class members will be entitled to claim a one-time cash payment of $19 and will be provided with two years of credit monitoring and identity theft protection services, which include dark web monitoring, lost wallet assistance, a $1 million identity theft insurance policy, and fully managed identity theft restoration and advisory services.

Akron Children’s Hospital will also pay attorneys’ fees, costs, and expenses, settlement administration costs, service awards for class members, and has agreed to injunctive relief, which includes the removal of pixels from its public-facing website, and a commitment not to add pixels to its patient portal or any forms on its public-facing website. Akron Children’s Hospital is permitted to use pixels that are essential for website functionality and may use HIPAA-compliant third-party companies in the future for analytics functions, provided a business associate agreement is in place.

The deadline for exclusion from the settlement, objection, and submitting a claim is September 29, 2025. The final approval hearing has been scheduled for October 10, 2025.

The post Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement appeared first on The HIPAA Journal.