Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations

Posted by Steve Alder

A lawsuit has been filed in the U.S. District Court for the Northern District of California against two healthcare organizations over their use of an AI-based tool that records conversations between patients and clinicians and transmits the audio files externally for processing and transcription. The lawsuit names the California nonprofit public benefit corporations Sutter Health and Memorial Healthcare Services as defendants, and alleges that their use of the tool violates the California Invasion of Privacy Act (CIPA), California Confidentiality of Medical Information Act (CMIA), California Unfair Competition Law, Federal Wiretap Act, and constitutes invasion of privacy – intrusion upon seclusion.

The AI-based platform was developed by Abridge AI, Inc., and is described as an “ambient clinical documentation system” which is marketed to health systems as an “enterprise-grade AI” that generates “contextually aware, clinically useful, and billable AI-generated notes, integrated directly into EHR workflows.” When activated on microphone-enabled devices in examination rooms, the tool captures conversations between clinicians and patients and transmits the recorded audio files to an external server, where they are processed and transcribed. AI models are used to generate structured draft clinical notes that can be checked by the clinician and incorporated directly into the electronic medical record system.

Abridge AI’s platform is used by many large health systems and providers, including Johns Hopkins, Mayo Clinic, Mount Sinai Medical Center, UC Health, MemorialCare, Christus Health, Corewell Health, and Reid Health, to name but a few.  The platform is praised by users who report that it significantly decreases clinicians’ cognitive load, allows clinicians to give patients their undivided attention, and increases clinician satisfaction.

The lawsuit – Washington et al v. Sutter Health – was filed by plaintiffs Christina Washington, Dennis Gueretta, and Rebecca Matulic, who visited the defendants in the past six months and disclosed sensitive medical information in their visits. The plaintiffs allege that they had a reasonable expectation that their conversations with the clinicians would remain private and confidential. The plaintiffs allege that at the time of their visits, they were unaware that their conversations with clinicians were being recorded by an artificial intelligence platform and transmitted externally outside the clinical setting and processed by a third-party system.

Information recorded and transmitted by the system included personally identifiable information and health information, including symptoms, diagnoses, prescription information, treatment plans, family medical histories, and mental health information – information classed as protected health information under HIPAA. Under HIPAA, Abridge AI is classed as a business associate, as the company receives protected health information, and HIPAA requires each healthcare provider client to sign a business associate agreement with Abridge AI. As a HIPAA business associate, Abridge AI is bound by the HIPAA Rules, and any protected health information collected, stored, or transmitted by the company must be protected in accordance with the HIPAA Security Rule. There are also strict rules regarding the use and disclosure of protected health information and breach reporting obligations.

Abridge AI is aware of its responsibilities under HIPAA as a business associate and signs business associate agreements with its HIPAA-covered entity clients. Since the information collected, transmitted, and processed by the platform at the direction of its clients is related to healthcare operations, patient consent is not required by HIPAA, provided the healthcare organization has a HIPAA-compliant business associate agreement with Abridge AI. The lawsuit does not allege that HIPAA has been violated but does assert that the interception, recording, and transmission of sensitive communications and health information without patients’ express consent violates the federal Wiretap Act and state consumer privacy laws.

The lawsuit alleges that the defendants used the platform to obtain operational and financial benefits, such as reducing clinicians’ documentation burdens and improving efficiency, but despite obtaining those advantages, they used the platform without first establishing legally compliant consent procedures, authorization protocols, or establishing appropriate safeguards to protect the confidentiality of patients’ confidential medical communications and medical information.

The lawsuit seeks class action certification, a jury trial, and damages for each violation of state law and the Wiretap Act, as well as injunctive relief, including an order from the court for the defendants to implement safeguards, policies, and technical controls to ensure that no medical information is intercepted or processed without first receiving prior consent from patients, and order for the defendant to pay the plaintiffs’ attorneys’ fees, expenses and suit costs.

“We take patient privacy seriously and are committed to protecting the security of our patients’ information. Technology used in our clinical settings is carefully evaluated and implemented in accordance with applicable laws and regulations,” said a spokesperson for Sutter Health.

The post Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations appeared first on The HIPAA Journal.

Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients

Posted by Steve Alder

Rocky Mountain Associated Physicians has reported a data breach affecting more than 50,000 patients. Data breaches have also been announced by Aroostook Mental Health Center and the Iowa Department of Health and Human Services.

Rocky Mountain Associated Physicians

The Salt Lake City, Utah-based surgical and medical weight loss specialists, Rocky Mountain Associated Physicians, have recently announced a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. Rocky Mountain said its forensic investigation determined on February 2, 2026, that an advanced threat actor accessed certain systems, including its patient database. The compromised database included individuals’ names, dates of birth, contact information, Social Security numbers, medical record numbers, diagnosis and treatment information, and health insurance information. For some individuals, financial information was compromised, including their debit/credit card numbers and PINs.

Third-party cybersecurity experts were engaged to review the security of its systems, and additional safeguards have been implemented to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should take advantage of the services being offered, as the compromised data has been leaked on the dark web. The PEAR threat group claimed responsibility for the attack and added Rocky Mountain to its dark web data leak site. PEAR, which stands for Pure Extortion and Ransom, leaked the stolen data when the ransom was not paid.

Aroostook Mental Health Center

Legal counsel for Aroostook Mental Health Center in Presque Isle, Maine, has recently notified the Maine Attorney General about a data security incident discovered on March 21, 2026. The investigation and data review are currently ongoing, so it has yet to be determined how many individuals have been affected. Notification letters will be mailed to the affected individuals when those processes have been completed, and complimentary credit monitoring and identity theft protection services will be made available.

According to the notification letter, Aroostook Mental Health Center started receiving alerts that its computer network had been disrupted on March 12, 2026. Immediate steps were taken to prevent further unauthorized access, and a forensic investigation was initiated, which confirmed that its network was accessed by an unauthorized third party between March 11, 2026, and March 12, 2026. The investigation confirmed that files had been exfiltrated from its network. Aroostook Mental Health Center has enhanced its technical security measures and is reviewing and updating its data privacy and security policies. On April 2, 2026, the Qilin ransomware group took credit for the attack and added Aroostook Mental Health Center to its dark web data leak site.

Iowa Department of Health and Human Services

The Iowa Department of Health and Human Services (HHS) has started notifying 6,717 individuals about the exposure of some of their protected health information. On February 20, 2026, the Iowa HHS learned that a file containing Medicaid recipients’ data had been inadvertently posted on its publicly accessible website. The file was posted on February 16, 2026, and was accessible until February 20, 2026.

The file contained limited information, including Medicaid subscriber identification numbers, the names of Medicaid waiver programs linked to the Medicaid IDs, and eligibility assessment dates only. No names, contact information, or health information were exposed. The Iowa HHS said it has provided additional training to its workforce and is reviewing its policies and procedures to prevent similar incidents in the future.

The post Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients appeared first on The HIPAA Journal.

Medical Group Announces PHI Exposure Due to Unencrypted Emails

Posted by Steve Alder

CardioFit Medical Group has discovered emails containing protected health information were inadvertently sent without encryption. Interventional Pain Center in Tennessee has identified unauthorized access to an email account containing PHI.

CardioFit Medical Group, California

CardioFit Medical Group, Inc., a California-based medical group providing acute, chronic, and preventive cardiology care, has started notifying certain patients about the exposure of some of their protected health information. The inadvertent HIPAA violation was identified on February 17, 2026, when CardioFit learned that patient information had been sent via emails that had not been encrypted. The emails were sent in January and February 2026 and were found to contain a limited amount of patient information.

Highly sensitive information such as Social Security numbers, bank account details, or credit card information was not included in the emails; however, the emails did contain names, demographic information, and in certain cases, limited clinical information such as diagnoses and health insurance information. Under HIPAA, email encryption is not mandatory when emails are sent internally, provided that alternative measures are implemented that provide an equivalent level of protection, such as a firewall. When protected health information is sent externally beyond the protection of a firewall, emails should be encrypted to prevent interception in transit and ensure that only the intended recipient can access the emails.

While patient data was exposed, there are no indications that the emails were accessed by unauthorized individuals, and no evidence has been found to indicate any misuse of the exposed information. In response to the breach, CardioFit has conducted a review of its privacy and security practices and has strengthened its procedures related to email encryption. CardioFit has also provided additional training to its staff to prevent similar incidents in the future. Notification letters were sent to the affected individuals on or around April 10, 2026. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Interventional Pain Center, Tennessee

Interventional Pain Center, a network of pain management centers in Tennessee, has identified unauthorized access to an employee’s email account that contained the personal and protected health information of 3,171 individuals. The incident was detected on December 11, 2025, and the forensic investigation confirmed that the unauthorized access was limited to a single email account, which was compromised between December 1, 2025, and December 11, 2025.

The account was reviewed to determine the types of information contained in the account and to whom it related. On or around March 17, 2026, Interventional Pain Center confirmed that the account contained files and emails that included names, addresses, zip codes, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, condition information, treatment information, prescription information, treating physician names, and health insurance information.

Interventional Pain Center secured the account to prevent further unauthorized access and has implemented additional safeguards to prevent similar incidents in the future, including enhancing its email security and monitoring controls, and providing additional training to the workforce. At the time of issuing notifications, Interventional Pain Center had found no evidence to suggest any of the exposed information had been misused.

The post Medical Group Announces PHI Exposure Due to Unencrypted Emails appeared first on The HIPAA Journal.

Free Webinar: How to Stop Phishing Attacks Before They Reach Your Team

Posted by Steve Alder

webinar - how to stop healthcare phishing attacksPhishing has long been a leading cause of healthcare data breaches. Hackers target employees as they are a weak link in the security chain, and many healthcare ransomware attacks start with credentials stolen in phishing attacks.

Phishing attacks are often blamed on the employees who respond to phishing attempts. A survey of healthcare IT leaders found 85% of respondents believe employee negligence is a top email security risk, yet despite that, only 16% of respondents said they train their workforce on how to recognize phishing attempts quarterly or more frequently. The majority of healthcare organizations only provide training to their workforce once a year, and hope that the training sticks and employees will remain vigilant throughout the year, which is seldom the case.

Unfortunately, the risk from phishing is getting worse as AI-generated phishing campaigns are difficult for employees to identify. AI-generated phishing emails are grammatically correct, free of spelling mistakes, and use advanced impersonation techniques. An analysis of phishing emails by KnowBe4 between late 2024 and early 2025 found that 83% of phishing emails were AI-generated.  Not only is AI-generated phishing outpacing training programs, the phishing emails also bypass traditional email spam filters. Further, Paubox research shows that when employees do identify phishing attempts, only 5% of attacks are reported to the security team! If you rely on employee training and a traditional email filter, your organization is at risk.

In this free webinar on April 28, 2026, discover why phishing defenses are failing and how you can improve your security posture and block attacks before they reach your team. The webinar is aimed at IT directors, CISOs, security leaders responsible for email infrastructure, compliance officers managing HIPAA email requirements, healthcare administrators who oversee PHI-handling workflows, and security teams weighing whether current controls match current threats.

Webinar attendees will learn about:

  • The evolution of AI-generated phishing and BEC attacks and why they bypass defenses
  • Why healthcare organizations are targeted
  • The findings of a Paubox analysis of 170 email-related data breaches in 2025 and common authentication gaps
  • How the “training plus spam filter” model leaves measurable security gaps
  • How inbound email security at the technical layer catches what training and traditional filters miss
  • How to assess where your organization’s email security actually stands today

WEBINAR DETAILS

How to Stop Phishing Attacks Before They Reach Your Team

Tuesday, April 28, 2026

10 a.m. PT | 11 a.m. MT | 12 p.m. CT | 1 p.m. ET | 6 p.m. BST

Register for the Webinar

Speaker: Dawn Halpin, Demand Generation Manager, Paubox

Dawn Halpin, Paubox

Dawn Halpin, a Marquette University and University of Wisconsin-Milwaukee graduate, is the Demand Generation Manager at the email security firm Paubox. Paubox is a leader in HIPAA-compliant email security for the healthcare industry and is trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health.

The post Free Webinar: How to Stop Phishing Attacks Before They Reach Your Team appeared first on The HIPAA Journal.