25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Google Must Face Majority of Claims in Healthcare Tracking Technology Class Action

Posted By on Jun 11, 2025

A lawsuit against Google LLC in the state of California that alleges the tech giant unlawfully collected individuals’ personal health information via tracking technology on healthcare providers’ websites has survived a motion to dismiss, with the majority of the claims allowed to proceed.

Google’s tracking technology includes Google Analytics code, software development kits, tracking pixels, and cookies. These tools can be added to websites to collect information about visitors’ interactions on web pages. Website owners can use the data to improve websites and web services, and the data is used to improve Google’s ad-targeting capabilities. When the code is added to healthcare providers’ websites, it can collect sensitive healthcare information, including information about medical conditions, treatments, appointments, and website searches. That information is tied to each website visitor through identifiers such as IP addresses.

Several lawsuits were filed against Google over the use of tracking code on hospital websites, and the lawsuits were consolidated in the U.S. District Court for the Northern District of California in May 2023. The lawsuit – Doe et al. v. Google LLC – alleges that Google’s tracking code was added to the majority of healthcare providers’ websites and collected sensitive health information without obtaining proper consent. That information was then transmitted to Google and used to enhance its advertising services.

One of the plaintiffs claims to have visited a Planned Parenthood website in 2018 when she was seeking an abortion procedure. The plaintiff believed the searches she performed on the website and the information she entered were confidential; however, Google’s tracking technology was installed and collected the plaintiff’s IP address, behavior on the site, reason for visiting, selected methods of abortion, the Planned Parenthood center chosen for the procedure, her approximate zip code, how she arrived on the Planned Parenthood site, her client ID, and other information. That information was transmitted to Google without her knowledge or consent.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The information collected from healthcare providers’ websites is intercepted and transmitted to Google, and its tools allow individuals to be tracked across multiple websites, such as for remarketing purposes. The lawsuits claim that Google’s tracking technology is used on many healthcare providers’ websites, including major hospitals and medical centers such as Keck Medicine of USC, MemorialCare: Long Beach Medical Center, and Sharp HealthCare.

The lawsuit claims Google knew its tracking code was being used on healthcare providers’ websites but failed to disclose that fact to users and did nothing to prevent its code from being used on healthcare websites. The lawsuit asserted claims of common law invasion of privacy, violation of the federal Wiretap Act, violation of the California Constitution, violation of the California Invasion of Privacy Act (CIPA), violation of the Confidentiality of Medical Information Act (CMIA), and unjust enrichment.

Google moved to have the lawsuit dismissed, claiming it lacked merit; however, U.S. District Court Judge Vince Chhabria ruled that the issues regarding consent and Google’s role in recording data prevent the lawsuit from being dismissed at this time.  Google updated its guidance for healthcare providers in 2023, instructing them not to send sensitive data through Google Analytics code on HIPAA-protected web pages. Judge Chhabria found it reasonable to infer that prior to that update, Google intended to receive communications containing individually identifiable health information and potentially capitalized on that data collection.

Certain breach of contract claims were dismissed along with claims related to data collection after Google updated its guidance. Most of the claims related to data collection prior to the issuing of updated guidance in 2023 have been allowed to proceed.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist