On June 6, 2025, the United States District Court for the Northern District of California dismissed a number of claims being brought against Google related to its alleged improper collection of health-related data though various Google service. A number of claims, though, survived Judge Chhabria's order and so the case will continued to proceed. 

Key Findings and Rulings

The Court found that the Plaintiffs had sufficiently alleged that, until some point in 2023, Google intentionally obtained communications containing private health information as defined by HIPAA. The Court noted that Google’s products were designed to collect and analyze communications on webpages where they were enabled, and that some of these communications included protected health information (PHI) such as diagnoses, practitioner searches, appointment bookings, and bill payments. The Court also found that the information collected could be tied to specific individuals, as Google collected data such as URLs, cookies, and IP addresses, which could reasonably be used to identify individuals.

However, the Court distinguished between Google’s conduct before and after it updated its guidance to healthcare providers in 2023. In 2023, Google issued clear instructions to its healthcare clients, emphasizing that Google did not want to receive PHI and instructing clients not to use Google Analytics on HIPAA-covered pages. The Court found that after this update, there was no plausible inference that Google intentionally obtained PHI. Therefore, claims based on communications after the 2023 update were dismissed, while claims based on earlier conduct were allowed to proceed.

The Court addressed several specific claims:

• Wiretap Act and CIPA Claims: The Court found that consent to install Google’s products did not necessarily equate to consent to the collection of PHI, making consent a factual issue. The Court also found that Google could be considered a third party using the data for its own purposes, and that the URLs and events collected could constitute the “contents” of a communication.
• Intrusion Upon Seclusion and Common Law Privacy: The Court held that plaintiffs had a reasonable expectation of privacy in their health-related website activity and that the alleged collection of PHI by Google was sufficiently offensive to survive dismissal at this stage.
• Breach of Contract: The Court allowed claims to proceed where Google allegedly promised not to collect health information except in limited circumstances, but dismissed claims related to the use of health information in personalized advertising, as there was insufficient evidence that Google used PHI for this purpose.
• Unjust Enrichment: The Court allowed this claim to proceed, as plaintiffs plausibly alleged that Google unlawfully collected and derived value from their health information.

Implications for the Use of Healthcare Data

This order suggest several implications for companies that collect and use data that may contain PHI.

1. Intent and Guidance Matter: Companies must provide clear, proactive guidance to clients about the handling of PHI. Failure to do so may expose them to liability for the unintentional collection of sensitive data.

2. Identifiability Standard: The Court reaffirmed that information is considered individually identifiable under HIPAA if there is a reasonable basis to believe it can be used to identify an individual, even if the person is not actually identified.

3. Consent is Contextual: Consent to use a product does not automatically extend to the collection of all types of data, especially sensitive health information. Explicit, informed consent is critical.

4. Reasonable Expectation of Privacy: Users have a reasonable expectation of privacy in their health-related online activities, and companies must respect this expectation or risk liability.

5. Broader Application: These principles may apply to any technology company or service provider handling sensitive health data, emphasizing the need for robust privacy practices, clear disclosures, and strict compliance with federal and state privacy laws.