AI Note-Taker Sparks Lawsuit Against Healthcare Systems

As AI adoption surges across the healthcare industry, organizations are facing mounting pressure to balance innovation with patient privacy and evolving cyber liability risks. A recent lawsuit over an AI medical note-taking tool put that trend to the test. Several California residents filed a class-action lawsuit against Sutter Health and MemorialCare alleging that an AI transcription platform recorded confidential doctor-patient conversations without their consent.

The lawsuit, filed in April in San Francisco, alleges that medical staff used Abridge AI to record conversations that included medical histories, diagnoses, medications, and treatment discussions, Ars Technica reported. It states that patients were not clearly informed that their conversations would be recorded by an AI platform or processed through third-party systems.

The litigation is “not surprising and will continue to increase given the rapid expansion of AI use in healthcare and other industries,” said Kyle Bell-Colfer, CIPP/US, Broker, Cyber Liability, Burns & Wilcox, Brokerage Division, Chicago, Illinois. “There is currently a race to implement new technology and identify use cases that improve business practices, reduce costs, and enhance data collection and use. With that accelerated adoption, however, the lack of established privacy protocols will inevitably invite litigation.”

There is currently a race to implement new technology and identify use cases that improve business practices, reduce costs, and enhance data collection and use. With that accelerated adoption, however, the lack of established privacy protocols will inevitably invite litigation.

The lawsuit highlights growing concerns around how healthcare organizations use AI to document patient interactions and the risk of costly legal action over these practices. While Cyber & Privacy Liability Insurance is often associated with ransomware attacks and data breaches, the coverage can also respond to privacy-related lawsuits, regulatory actions, and other claims tied to the collection or handling of sensitive patient information. Depending on the allegations, Healthcare Liability Insurance may also come into play when claims involve patient consent, documentation practices, or the delivery of care.

“A lawsuit like this, especially when it comes to health information, can be quite costly,” said Joe Smith, Broker, Professional Liability, Burns & Wilcox, Brokerage Division, San Francisco, California. “Health information is probably the most protected asset that individuals have other than financial information.”

Healthcare remains a major cyber target

Healthcare organizations continue to face significant cyber and privacy risks. In 2025, healthcare was targeted for ransomware attacks and other cyber threats more than any other industry, FBI data showed. Healthcare breaches cost an average of $7.42 million per incident last year, making them the most expensive cyber threats of any industry, according to IBM’s 2025 Cost of a Data Breach Report.

“Healthcare remains a prime target for cybercriminals,” Bell-Colfer said. “This is due, in part, because protected health information (PHI) is highly valuable, difficult to change, and can be exploited long after a breach occurs. The industry’s heavy regulation under HIPAA, combined with public breach reporting by OCR, also makes it a frequent focus for the plaintiffs’ bar.”

Healthcare remains a prime target for cybercriminals. This is due, in part, because protected health information (PHI) is highly valuable, difficult to change, and can be exploited long after a breach occurs.

Companies can be held liable for privacy claims whether or not a network intrusion occurs, with lawsuits often alleging that organizations improperly collected, used, or secured personal information, or did so without adequate consent mechanisms. Under a healthcare company’s Cyber & Privacy Liability Insurance policy, lawsuit-related costs such as legal defense and settlements may be covered, Bell-Colfer said.

“When properly placed, Cyber Insurance policies can be triggered not only by data breach incidents, but also by privacy claims arising from alleged violations of statutes such as CIPA, ECPA, VPPA and related state and federal privacy and wiretap laws,” he explained.

When a healthcare data breach occurs, the financial impact is often substantial, Smith said. “If there was a loss, there will be all of the first-party costs associated like breach response, forensics, and reputational harm, and then the third-party costs for patients who had their healthcare information compromised,” he said.

Older privacy laws being applied to AI tools

One common misconception surrounding AI and privacy, according to Bell-Colfer, is that emerging AI tools fall outside the scope of legal scrutiny because regulation is still evolving. However, long-standing privacy laws are already being applied to modern technologies.

“The laws that can be used already exist,” he said. “Further laws are coming out related to AI to address that specifically, but right now there is a repurposing of old laws that never really contemplated exposures like AI note-takers.”

For example, the California Invasion of Privacy Act, originally enacted in 1967, is frequently cited in privacy-related litigation involving digital data collection practices, as well as Illinois’ Biometric Information Privacy Act (BIPA), which was established in 2008. “AI note-takers use speech recognition to understand who is talking,” Bell-Colfer said. “Features like this can trigger additional consent and compliance obligations under biometric laws such as BIPA where biometric voiceprints are created.”

Organizations deploying AI tools should carefully review their vendor agreements and consent practices before implementation. This should include “clear and conspicuous disclosure” on how data is collected, processed, and shared, as well as obtaining explicit opt-in consent beforehand — “not simply providing notice or opt-out mechanisms but affirmative consent,” he said.

According to Smith, organizations often underestimate their level of cyber risk. “The number one misunderstanding I get is that clients think because they outsource their IT to a third-party vendor, that vendor is responsible for it,” he said. “At the end of the day, if you are servicing a client, who is the client going to come after?”

Companies often “assume the liability is not passed to them,” Bell-Colfer agreed. “Many companies are not vetting vendors thoroughly or setting strong contractual language when able,” he said. “That is a component that is missed a lot of times by organizations leveraging these tools.”

‘Everyone has an exposure’

As AI adoption expands, healthcare organizations should carefully review their insurance policies and privacy frameworks and discuss new AI tool implementation with their insurance broker and legal counsel, Bell-Colfer said. Some carriers are beginning to introduce AI-specific endorsements as well as exclusions tied to biometric data and other forms of data collection.

“There are quite a few policies out there with exclusionary language or language that is not broad enough to pick up all the ways AI note-takers, chatbots, and other similar tools create liability. It is important to have that conversation with your insurance broker,” Bell-Colfer said, adding that higher limits should also be discussed. “Rather than simply purchasing $1 million in limits, many companies are now looking to purchase $5 million, $10 million, or more because they understand how expensive and commonplace privacy lawsuits are becoming in this sector.”

Organizations across industries are still trying to understand the cyber and privacy risks associated with AI, Smith said. “I do not think anyone is really aware of how AI is changing the landscape of our day-to-day lives,” he said. “Everyone has an exposure. Whether you are a brick-and-mortar company or a tech company, anyone could be hacked by bad actors and suffer a financial loss from it.”