SAN FRANCISCO (CN) — Hoping for a dismissal, Google told a federal judge Thursday that it did not deliberately track, collect and monetize private health information from health care websites and that it could not control if a third-party, such as a health care web provider, sent sensitive information to Google despite Google’s warnings.
In a 2023 class action, the group of patients claimed that Google used its source code on health care provider websites to collect sensitive health information without their knowledge or consent, violating state and federal law as well as Google’s own terms of service.
At the motion to dismiss hearing Thursday, Eduardo Santacana, counsel for Google, told U.S. District Judge Vince Chhabria, a Barack Obama appointee, that the complaint should be dismissed with prejudice because the plaintiffs have not adequately claimed that Google intended to track and collect the information.
Santacana said that there is no claim that any person was actually identified and that the Google source code is not configured out of the box to collect any health information at all.
“What the product does out of the box is it sends the URL of the page. There’s nothing about the design of the product that’s intended to capture protected health information,” Santacana said.
He added that there are documents on the record that show Google tells its business partners to not send it data with personally identifiable information that could violate privacy laws like the Health Insurance Portability and Accountability Act or HIPAA. If a business partner ignores that warning and places personal information in the URL of a webpage, Google cannot control that, Santacana argued.
“It’s not a traceable injury when your liability depends on the independent actions of a third party,” Santacana said. “When we’re talking about the independent actions of third parties that we have no control over, I don’t think that you can use that to make somebody criminally or civilly liable.”
Melissa Gardner, counsel for the class plaintiffs, said that prior to 2023, Google did not have any warnings to health care providers about keeping personal information out of data sent to Google, and that the normal use of Google source code on health care web pages would inevitably lead to people’s health information ending up in Google’s hands, leading her to believe Google intended to collect health information the entire time.
The plaintiffs claim that Google source code is on 94% of health care provider web properties in the United States, and that Google collected unique patient identifiers — including communications relating to specific doctors, appointment requests, symptoms, conditions, treatments, insurance and prescription drugs.
Google is then able to amplify the knowledge and insight it has about patients, compile detailed and precise profiles on patients and monetize that information into advertising revenue, the plaintiffs say.
Gardner said Thursday everything sent to Google is identifiable and has always been identifiable, and that Google misled its partners.
“Google has to show that it obtained consent to what it did. It never clearly explained what was really happening,” Gardner said.
Chhabria agreed with Gardner’s argument that Google tracked the plaintiffs extensively, and that the information Google collected or received was sensitive, but said that it is not on Google to police third parties and that it was a courtesy that Google even warned health care providers about sending private health information because Google had no affirmative duty to do so.
“It’s the health providers who are supposed to know their obligations under HIPAA. It’s the health providers who have the responsibility under HIPAA to protect people’s private health information,” Chhabria said, adding that a reasonable health provider should heed Google’s warnings and make sure they were using Google source code in a way that didn’t violate privacy laws.
“The argument we’re trying to make is that this document tells you the way to avoid violating HIPAA is to not send us personal identification information. But what it doesn’t tell you is that everything you send is identifiable,” Gardner replied.
Chhabria said he might end up ruling against the plaintiffs on all claims but that he had to think about it further, promising a written order.
Subscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.


