Patients file class action suits against healthcare corporations over PHI exposure and data sharing

Overview

A cluster of class action lawsuits filed in mid-2026 is targeting large healthcare corporations for alleged failures to protect patient data, with plaintiffs asserting that sensitive health information was either improperly shared with third parties or exposed through inadequate security controls. One of the first suits, filed June 11 in Davidson County Circuit Court in Tennessee, was brought by three anonymous plaintiffs against CareNow, a network of urgent care clinics. ‍​​​‌‍The plaintiffs allege the company shared or permitted access to their protected health information without authorization.

The litigation spans both state and federal venues, signaling that plaintiffs' attorneys are pursuing parallel tracks to maximize jurisdiction and class size. The lawsuits collectively reflect a pattern that has become familiar in healthcare litigation: large institutional providers facing legal accountability for data practices that patients allege were conducted without their knowledge or meaningful consent.

‍​‌‌‌‍The cases arrive as healthcare organizations face intensifying scrutiny from regulators, state attorneys general, and now civil plaintiffs over how they handle, share, and protect PHI. Each lawsuit carries potential for substantial class-wide damages if certified, making the financial exposure for the named defendants considerably larger than a typical individual claim.

Key developments

CareNow named in Davidson County suit: Three Jane Does filed suit on June 11 against the urgent care chain in Tennessee state court, alleging unauthorized exposure or sharing of their PHI. ‍​‌‌‌‍The use of anonymous plaintiffs is common in health-data litigation, where disclosure of the plaintiff's identity would compound the alleged privacy harm.

Federal and state venues pursued simultaneously: Plaintiffs' counsel are filing in both state and federal courts, a deliberate strategy that broadens procedural options and may make it harder for defendants to consolidate or remove cases to a single forum where they would prefer to litigate.

Class certification is the pivotal legal question: If courts certify these suits as class actions, the defendant corporations could face liability across tens of thousands of patients rather than just the named plaintiffs. ‍‌​‌‌‍The scale of damages in certified healthcare data class actions has grown significantly over the past several years.

Third-party data sharing is a recurring allegation: Across the suite of lawsuits, a central theory of harm is not only that data was breached by outside attackers, but that the healthcare entities themselves shared PHI with advertisers, analytics vendors, or other third parties in ways that violated HIPAA and state privacy law. This mirrors earlier litigation patterns against hospital systems that embedded tracking pixels in patient-facing web portals.

‍​​​​‍## Industry impact

The litigation wave follows a period of aggressive enforcement and mounting civil exposure for healthcare data practices. OCR has made clear through recent guidance and enforcement actions that the use of tracking technologies on authenticated patient web pages — such as appointment schedulers and patient portals — constitutes impermissible disclosure of PHI to technology vendors. Multiple hospital systems have already settled with OCR over pixel-based tracking, and civil plaintiffs have now adapted the same factual theory into class action complaints.

‍​‌‌‌‍According to IBM's Cost of a Data Breach Report, healthcare has consistently reported the highest average breach cost of any industry for more than a decade, exceeding $10 million per incident in recent years. That figure covers regulatory fines, notification costs, and remediation, but does not fully capture the compounding cost of class action litigation, which can extend proceedings for years and generate separate settlement demands.

State-level privacy law is also a growing factor. ‍​​‌‌‍Several states have enacted health data privacy statutes that extend protections beyond HIPAA's floor and create private rights of action — meaning patients can sue directly without waiting for a regulator to act. Washington State's My Health MY Data Act, enacted in 2023, is one example. As more states pass similar laws, the population of potential plaintiffs in healthcare data suits will continue to grow.

‍‌​‌​‍## What this means for independent practices

Independent practices operating patient portals or online scheduling tools bear the same category of risk that is now producing litigation against large healthcare corporations. Scale makes the large systems more visible targets, but the underlying legal theory — that PHI was shared without authorization through technology integrations — applies equally to a small practice that embedded a third-party scheduling widget or analytics tag without a BAA. The discipline required is ongoing: vendor relationships change, software updates introduce new tracking components, and a configuration that was clean last year may not be clean today.

What would have prevented this

Third-party vendor inventory and BAA management: Maintaining a current inventory of every vendor that touches patient data — including web, IT, and software vendors — and ensuring each has an executed business associate agreement before receiving any PHI would address the core allegation in the data-sharing claims.

Web tracking configuration controls: Systematic review of all tags, pixels, scripts, and analytics tools embedded in patient-facing web properties, with controls that prevent those tools from firing on authenticated or health-data-containing pages, would eliminate the specific mechanism behind pixel-based PHI disclosure.

Data minimization policies: Limiting the collection, retention, and onward sharing of PHI to only what is operationally necessary reduces both the volume of data at risk and the surface area of potential liability across vendor integrations.

Role-based access controls (RBAC): Restricting internal access to PHI by job function and enforcing least-privilege principles limits the number of personnel and systems that can read or export patient records, reducing the risk of both inadvertent exposure and insider misuse.

Audit logging with anomaly detection: Maintaining detailed logs of who accessed, exported, or transmitted PHI — and reviewing those logs for patterns inconsistent with normal clinical workflows — enables earlier detection of unauthorized disclosures before they become the basis of litigation.

Read the original at DataBreaches.net