Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations

Posted by Steve Alder

A lawsuit has been filed in the U.S. District Court for the Northern District of California against two healthcare organizations over their use of an AI-based tool that records conversations between patients and clinicians and transmits the audio files externally for processing and transcription. The lawsuit names the California nonprofit public benefit corporations Sutter Health and Memorial Healthcare Services as defendants, and alleges that their use of the tool violates the California Invasion of Privacy Act (CIPA), California Confidentiality of Medical Information Act (CMIA), California Unfair Competition Law, Federal Wiretap Act, and constitutes invasion of privacy – intrusion upon seclusion.

The AI-based platform was developed by Abridge AI, Inc., and is described as an “ambient clinical documentation system” which is marketed to health systems as an “enterprise-grade AI” that generates “contextually aware, clinically useful, and billable AI-generated notes, integrated directly into EHR workflows.” When activated on microphone-enabled devices in examination rooms, the tool captures conversations between clinicians and patients and transmits the recorded audio files to an external server, where they are processed and transcribed. AI models are used to generate structured draft clinical notes that can be checked by the clinician and incorporated directly into the electronic medical record system.

Abridge AI’s platform is used by many large health systems and providers, including Johns Hopkins, Mayo Clinic, Mount Sinai Medical Center, UC Health, MemorialCare, Christus Health, Corewell Health, and Reid Health, to name but a few.  The platform is praised by users who report that it significantly decreases clinicians’ cognitive load, allows clinicians to give patients their undivided attention, and increases clinician satisfaction.

The lawsuit – Washington et al v. Sutter Health – was filed by plaintiffs Christina Washington, Dennis Gueretta, and Rebecca Matulic, who visited the defendants in the past six months and disclosed sensitive medical information in their visits. The plaintiffs allege that they had a reasonable expectation that their conversations with the clinicians would remain private and confidential. The plaintiffs allege that at the time of their visits, they were unaware that their conversations with clinicians were being recorded by an artificial intelligence platform and transmitted externally outside the clinical setting and processed by a third-party system.

Information recorded and transmitted by the system included personally identifiable information and health information, including symptoms, diagnoses, prescription information, treatment plans, family medical histories, and mental health information – information classed as protected health information under HIPAA. Under HIPAA, Abridge AI is classed as a business associate, as the company receives protected health information, and HIPAA requires each healthcare provider client to sign a business associate agreement with Abridge AI. As a HIPAA business associate, Abridge AI is bound by the HIPAA Rules, and any protected health information collected, stored, or transmitted by the company must be protected in accordance with the HIPAA Security Rule. There are also strict rules regarding the use and disclosure of protected health information and breach reporting obligations.

Abridge AI is aware of its responsibilities under HIPAA as a business associate and signs business associate agreements with its HIPAA-covered entity clients. Since the information collected, transmitted, and processed by the platform at the direction of its clients is related to healthcare operations, patient consent is not required by HIPAA, provided the healthcare organization has a HIPAA-compliant business associate agreement with Abridge AI. The lawsuit does not allege that HIPAA has been violated but does assert that the interception, recording, and transmission of sensitive communications and health information without patients’ express consent violates the federal Wiretap Act and state consumer privacy laws.

The lawsuit alleges that the defendants used the platform to obtain operational and financial benefits, such as reducing clinicians’ documentation burdens and improving efficiency, but despite obtaining those advantages, they used the platform without first establishing legally compliant consent procedures, authorization protocols, or establishing appropriate safeguards to protect the confidentiality of patients’ confidential medical communications and medical information.

The lawsuit seeks class action certification, a jury trial, and damages for each violation of state law and the Wiretap Act, as well as injunctive relief, including an order from the court for the defendants to implement safeguards, policies, and technical controls to ensure that no medical information is intercepted or processed without first receiving prior consent from patients, and order for the defendant to pay the plaintiffs’ attorneys’ fees, expenses and suit costs.

“We take patient privacy seriously and are committed to protecting the security of our patients’ information. Technology used in our clinical settings is carefully evaluated and implemented in accordance with applicable laws and regulations,” said a spokesperson for Sutter Health.

The post Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations appeared first on The HIPAA Journal.

Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients

Posted by Steve Alder

Rocky Mountain Associated Physicians has reported a data breach affecting more than 50,000 patients. Data breaches have also been announced by Aroostook Mental Health Center and the Iowa Department of Health and Human Services.

Rocky Mountain Associated Physicians

The Salt Lake City, Utah-based surgical and medical weight loss specialists, Rocky Mountain Associated Physicians, have recently announced a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. Rocky Mountain said its forensic investigation determined on February 2, 2026, that an advanced threat actor accessed certain systems, including its patient database. The compromised database included individuals’ names, dates of birth, contact information, Social Security numbers, medical record numbers, diagnosis and treatment information, and health insurance information. For some individuals, financial information was compromised, including their debit/credit card numbers and PINs.

Third-party cybersecurity experts were engaged to review the security of its systems, and additional safeguards have been implemented to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should take advantage of the services being offered, as the compromised data has been leaked on the dark web. The PEAR threat group claimed responsibility for the attack and added Rocky Mountain to its dark web data leak site. PEAR, which stands for Pure Extortion and Ransom, leaked the stolen data when the ransom was not paid.

Aroostook Mental Health Center

Legal counsel for Aroostook Mental Health Center in Presque Isle, Maine, has recently notified the Maine Attorney General about a data security incident discovered on March 21, 2026. The investigation and data review are currently ongoing, so it has yet to be determined how many individuals have been affected. Notification letters will be mailed to the affected individuals when those processes have been completed, and complimentary credit monitoring and identity theft protection services will be made available.

According to the notification letter, Aroostook Mental Health Center started receiving alerts that its computer network had been disrupted on March 12, 2026. Immediate steps were taken to prevent further unauthorized access, and a forensic investigation was initiated, which confirmed that its network was accessed by an unauthorized third party between March 11, 2026, and March 12, 2026. The investigation confirmed that files had been exfiltrated from its network. Aroostook Mental Health Center has enhanced its technical security measures and is reviewing and updating its data privacy and security policies. On April 2, 2026, the Qilin ransomware group took credit for the attack and added Aroostook Mental Health Center to its dark web data leak site.

Iowa Department of Health and Human Services

The Iowa Department of Health and Human Services (HHS) has started notifying 6,717 individuals about the exposure of some of their protected health information. On February 20, 2026, the Iowa HHS learned that a file containing Medicaid recipients’ data had been inadvertently posted on its publicly accessible website. The file was posted on February 16, 2026, and was accessible until February 20, 2026.

The file contained limited information, including Medicaid subscriber identification numbers, the names of Medicaid waiver programs linked to the Medicaid IDs, and eligibility assessment dates only. No names, contact information, or health information were exposed. The Iowa HHS said it has provided additional training to its workforce and is reviewing its policies and procedures to prevent similar incidents in the future.

The post Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients appeared first on The HIPAA Journal.