Patients file class action suits against healthcare corporations over PHI exposure and data sharing
Overview
A cluster of class action lawsuits filed in mid-2026 is targeting large healthcare corporations for alleged failures to protect patient data, with plaintiffs asserting that sensitive health information was either improperly shared with third parties or exposed through inadequate security controls. One of the first suits, filed June 11 in Davidson County Circuit Court in Tennessee, was brought by three anonymous plaintiffs against CareNow, a network of urgent care clinics. The plaintiffs allege the company shared or permitted access to their protected health information without authorization.
The litigation spans both state and federal venues, signaling that plaintiffs' attorneys are pursuing parallel tracks to maximize jurisdiction and class size. The lawsuits collectively reflect a pattern that has become familiar in healthcare litigation: large institutional providers facing legal accountability for data practices that patients allege were conducted without their knowledge or meaningful consent.
The cases arrive as healthcare organizations face intensifying scrutiny from regulators, state attorneys general, and now civil plaintiffs over how they handle, share, and protect PHI. Each lawsuit carries potential for substantial class-wide damages if certified, making the financial exposure for the named defendants considerably larger than a typical individual claim.
Key developments
CareNow named in Davidson County suit: Three Jane Does filed suit on June 11 against the urgent care chain in Tennessee state court, alleging unauthorized exposure or sharing of their PHI. The use of anonymous plaintiffs is common in health-data litigation, where disclosure of the plaintiff's identity would compound the alleged privacy harm.
Federal and state venues pursued simultaneously: Plaintiffs' counsel are filing in both state and federal courts, a deliberate strategy that broadens procedural options and may make it harder for defendants to consolidate or remove cases to a single forum where they would prefer to litigate.
Class certification is the pivotal legal question: If courts certify these suits as class actions, the defendant corporations could face liability across tens of thousands of patients rather than just the named plaintiffs. The scale of damages in certified healthcare data class actions has grown significantly over the past several years.
Third-party data sharing is a recurring allegation: Across the suite of lawsuits, a central theory of harm is not only that data was breached by outside attackers, but that the healthcare entities themselves shared PHI with advertisers, analytics vendors, or other third parties in ways that violated HIPAA and state privacy law. This mirrors earlier litigation patterns against hospital systems that embedded tracking pixels in patient-facing web portals.
## Industry impact
The litigation wave follows a period of aggressive enforcement and mounting civil exposure for healthcare data practices. OCR has made clear through recent guidance and enforcement actions that the use of tracking technologies on authenticated patient web pages — such as appointment schedulers and patient portals — constitutes impermissible disclosure of PHI to technology vendors. Multiple hospital systems have already settled with OCR over pixel-based tracking, and civil plaintiffs have now adapted the same factual theory into class action complaints.
According to IBM's Cost of a Data Breach Report, healthcare has consistently reported the highest average breach cost of any industry for more than a decade, exceeding $10 million per incident in recent years. That figure covers regulatory fines, notification costs, and remediation, but does not fully capture the compounding cost of class action litigation, which can extend proceedings for years and generate separate settlement demands.
State-level privacy law is also a growing factor. Several states have enacted health data privacy statutes that extend protections beyond HIPAA's floor and create private rights of action — meaning patients can sue directly without waiting for a regulator to act. Washington State's My Health MY Data Act, enacted in 2023, is one example. As more states pass similar laws, the population of potential plaintiffs in healthcare data suits will continue to grow.
## What this means for independent practices
- Audit all third-party data flows now. Any vendor that receives data through a patient-facing website, portal, or scheduling tool — including analytics, advertising, chatbot, or form providers — should be reviewed against HIPAA's definition of a business associate. If a vendor receives PHI and has no executed BAA, that gap represents both regulatory and civil litigation exposure.
- Remove or block tracking pixels on authenticated pages. OCR's December 2022 guidance and subsequent enforcement make clear that standard web analytics tools on pages where patients log in or submit health information are presumptively impermissible. Audit page-level tracking configurations and disable any that transmit PHI to third parties not covered by a BAA.
- Review consent language for data sharing. Authorization forms should accurately describe how PHI is used, including any sharing with vendors or platforms. Vague or outdated consent language is a direct liability risk in class action litigation.
- Document the risk analysis. In any regulatory or litigation proceeding, demonstrable evidence of a conducted and documented risk analysis is a foundational defense. Practices that cannot produce this documentation face a harder path in both OCR investigations and civil discovery.
- Engage counsel before a lawsuit arrives. The time to understand a practice's exposure to class action litigation is before a complaint is filed. A brief review with a healthcare attorney familiar with state privacy law — particularly in states with private rights of action — is considerably less expensive than reactive defense.
Independent practices operating patient portals or online scheduling tools bear the same category of risk that is now producing litigation against large healthcare corporations. Scale makes the large systems more visible targets, but the underlying legal theory — that PHI was shared without authorization through technology integrations — applies equally to a small practice that embedded a third-party scheduling widget or analytics tag without a BAA. The discipline required is ongoing: vendor relationships change, software updates introduce new tracking components, and a configuration that was clean last year may not be clean today.
What would have prevented this
Third-party vendor inventory and BAA management: Maintaining a current inventory of every vendor that touches patient data — including web, IT, and software vendors — and ensuring each has an executed business associate agreement before receiving any PHI would address the core allegation in the data-sharing claims.
Web tracking configuration controls: Systematic review of all tags, pixels, scripts, and analytics tools embedded in patient-facing web properties, with controls that prevent those tools from firing on authenticated or health-data-containing pages, would eliminate the specific mechanism behind pixel-based PHI disclosure.
Data minimization policies: Limiting the collection, retention, and onward sharing of PHI to only what is operationally necessary reduces both the volume of data at risk and the surface area of potential liability across vendor integrations.
Role-based access controls (RBAC): Restricting internal access to PHI by job function and enforcing least-privilege principles limits the number of personnel and systems that can read or export patient records, reducing the risk of both inadvertent exposure and insider misuse.
Audit logging with anomaly detection: Maintaining detailed logs of who accessed, exported, or transmitted PHI — and reviewing those logs for patterns inconsistent with normal clinical workflows — enables earlier detection of unauthorized disclosures before they become the basis of litigation.