A federal court in California has given the green light to a lawsuit alleging that Google improperly harvested personal data from websites operated by healthcare providers, but with a crucial caveat.

The ruling, handed down by Judge Vince Chhabria, permits the case to proceed, albeit only with respect to claims pertaining to data collected prior to a pivotal moment in 2023, when Google ostensibly began advising its healthcare clients on how to withhold sensitive medical information from being transmitted to the tech giant.

This nuanced decision effectively narrows the scope of the lawsuit, which was brought by a group of anonymous consumers, to focus on Google’s data-gathering practices during a specific timeframe, raising important questions about the company’s handling of sensitive user information and its potential implications for data privacy.

A quiet yet profound struggle is unfolding in the digital realm, one that pits the imperatives of data-driven commerce against the sanctity of personal privacy. At the heart of this conflict lies Google’s ubiquitous tracking technology, a suite of tools that includes Analytics code, software development kits, and cookies, all designed to harvest precious information about online behavior.

When these tools are embedded in the websites of healthcare providers, they can inadvertently collect sensitive medical information, including details about treatments, appointments, and even website searches.

This data, tied to individual users through identifiers like IP addresses, is then transmitted to Google, where it is used to refine the company’s advertising capabilities, raising fundamental questions about the boundaries of digital surveillance.

Data under scrutiny

The use of Google’s tracking code on hospital websites has sparked a flurry of lawsuits, which were consolidated in a California federal court in May 2023.

The lead case, Doe et al v Google LLC, alleges that Google’s tracking technology was installed on a vast majority of healthcare providers’ websites, allowing the company to collect sensitive health information without obtaining proper consent. This data, in turn, was used to enhance Google’s advertising services, creating a lucrative yet potentially problematic feedback loop.

One plaintiff, who wishes to remain anonymous, claims to have visited a Planned Parenthood website in 2018 while seeking an abortion procedure, only to have her online activities tracked and transmitted to Google without her knowledge or consent.

As the lawsuit alleges, Google’s tracking technology is not only pervasive but also remarkably sophisticated, allowing individuals to be tracked across multiple websites and devices. This capability, known as remarketing, enables Google to create detailed profiles of online behavior, which can then be used to target advertisements with uncanny precision.

One plaintiff visited a Planned Parenthood website , only to have her online activities tracked and transmitted to Google without her knowledge or consent.

The plaintiffs argue that this practice is not only invasive but also potentially damaging, as it can compromise the confidentiality of sensitive medical information. The lawsuit claims that Google’s tracking technology is used on a wide range of healthcare providers’ websites, including major hospitals and medical centers, highlighting the need for greater transparency and accountability in the digital realm.

The putative class action, which was first filed in May 2023, alleges that Google’s tracking technology violates a range of federal and state laws, including the Wiretap Act and the California Invasion of Privacy Act. The plaintiffs also assert breach of contract and unjust enrichment, arguing that Google’s data collection practices are not only unlawful but also fundamentally unfair.

As the case winds its way through the courts, it is likely to raise important questions about the balance between commercial interests and individual privacy, as well as the need for greater regulation of digital surveillance. The latest amended complaint, filed in August, provides a detailed roadmap of the plaintiffs’ allegations, highlighting the scope and complexity of Google’s tracking technology.

In a recent ruling, Judge Vince Chhabria gave the plaintiffs a significant victory, allowing the case to proceed on a limited basis.

The judge ruled that the plaintiffs had “improved their allegations” and provided a more convincing explanation for their claims, which focus on Google’s intentional collection of health information prior to 2023.

Question of intent

Judge Chhabria’s recent ruling has shed new light on the allegations against Google, specifically with regards to the company’s intention to collect sensitive health information.

The plaintiffs’ allegations suggest that Google’s products were designed to collect and analyze communications on webpages, including those containing sensitive health information. The company’s own policies, prior to 2023, vaguely stated that providers “may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.”

This language, the judge found, was inadequate and created a situation in which clients may have inadvertently transmitted communications containing individually identifiable health information.

The judge’s ruling also touched on the issue of consent, noting that it was plausible to infer that healthcare providers did not consent to the collection of individually identifiable health information because they did not understand that the automatic collection of certain information, such as IP addresses, would render the communications identifiable under HIPAA.

This lack of understanding, the judge found, created a factual issue that could not be resolved on the pleadings.

The plaintiffs had adequately alleged that the information collected by Google was individually identifiable, as it could be tied to a particular person through IP addresses, cookies, and other means.

Google’s update to its help pages in 2023, which explained to providers how to avoid sending health information to Google, was seen as a significant development in the case. The judge found that this update created a plausible inference that Google was aware of the potential for its products to collect private health information and took measures to prevent it.

However, the judge also noted that the plaintiffs’ allegations did not support an inference that Google intentionally obtained communications containing private health information after the 2023 update.

The case has also raised questions about the scope of HIPAA and the definition of individually identifiable health information.

The judge found that the plaintiffs had adequately alleged that the information collected by Google was individually identifiable, as it could be tied to a particular person through IP addresses, cookies, and other means.

This finding has significant implications for the case and highlights the need for greater clarity on the definition of individually identifiable health information under HIPAA.

Google’s defensive maneuvers

Google’s language, as revealed in the case, is particularly noteworthy, as it appears to be an attempt to protect itself from further scrutiny.

By updating its help pages in 2023 to explain to providers how to avoid sending health information to Google, the company may be seen as taking steps to mitigate potential liability.

Specifically, Google’s language, which states that customers “may only use Google Analytics on pages that are not HIPAA-covered,” can be seen as an effort to shift the responsibility for protecting sensitive health information onto the providers themselves.

This move is significant, as it highlights the complex and often opaque relationships between Google’s services, website data, and user information. The fact that many people may not be aware of the connections between Google’s services and website data makes this case all the more important, as it sheds light on the company’s data collection practices and the potential risks to user privacy.

The recent developments in the Google case, particularly the company’s efforts to avoid further scrutiny in 2023, highlight the potential risks and consequences of failing to conduct thorough risk analyses and implement effective security measures to protect sensitive health information.

 he settlement between the US Department of Health and Human Services’ Office for Civil Rights (OCR) and Health Fitness Corporation, a wellness plan provider, is a notable example of the consequences of such failures.

The case against Google serves as a stark reminder of the need for robust compliance measures in the healthcare sector.

The company agreed to pay a fine of $227,816 and implement a corrective action plan to ensure compliance with the HIPAA Security Rule, after it was found that thousands of customers were affected by a breach that led to personal health information becoming discoverable online.

The Google case and the Health Fitness settlement share a common thread – the importance of proactive measures to prevent data breaches and protect sensitive information.

The case against Google serves as a stark reminder of the need for robust compliance measures in the healthcare sector. The plaintiffs’ allegations that Google’s tracking technology was used to collect sensitive health information without proper consent have far-reaching implications for the company, the tech industry, and users alike.

As the case continues to unfold, it is likely to raise important questions about the balance between commercial interests and individual privacy, as well as the need for more stringent regulations to protect sensitive information.

Moreover, the trend of patients seeking out professional help personally, without the assistance of intermediaries, underscores the importance of protecting sensitive health information, not only to prevent harm, but also to safeguard patients’ dignity and personal autonomy.