Case Caption: In re Doe v. Kaiser Foundation Health Plan, Inc., et al.
Court: United States Northern District of California
Case Number: 3:23-cv-02865
Judge: Honorable Edward M. Chen
Plaintiff: John Doe, John Doe II, Jane Doe, Jane Doe II, Jane Doe III, Jane Doe IV, Jane Doe V, and Alexis Sutter
Defendant: Kaiser Foundation Health Plan, Inc; Kaiser Foundation Hospitals, Kaiser Foundation Health Plan of Washington
This data privacy class action alleges that Defendants embedded code on the Kaiser Permanente Website (“Site”) and Mobile Applications (“Apps”) that intercepts and redirects confidential personal and medical information to third party companies like Twitter, Adobe, Google, Quantum Metric, and Dynatrace, without patients’ consent. Under the Health Insurance Portability and Accountability Act (“HIPAA”), and other laws, healthcare providers and insurers must follow strict rules to safeguard patients’ sensitive health information.
On June 9, 2023, Plaintiffs John Doe and Jane Doe filed this lawsuit, bringing federal claims under the Electronic Communications Privacy Act, on behalf of Kaiser Plan Members nationwide, as well as claims under California and Washington law. On September 15, 2023, Plaintiffs filed an Amended Complaint (“FAC”), which also asserted claims regarding the Apps, and included additional John Doe and Jane Doe plaintiffs pursuing claims under Georgia, Maryland, Oregon, Virginia, and District of Columbia laws.
On October 4, 2023, Plaintiffs filed a Motion for a Preliminary Injunction (“Motion”), asking the Court to order that Defendants remove the code from the Site and Apps. On November 22, 2023, Defendants disclosed for the first time that Kaiser began disabling, deleting, or modifying the code after Plaintiffs filed their Complaint and completed that process on November 13, 2023. Based on Defendants’ representation that it had provided the relief that Plaintiffs sought through the Preliminary Injunction, Plaintiffs withdrew their Motion.
On April 11, 2024, the Court denied and granted in part defendants’ Motion to Dismiss the First Amended Complaint, allowing Plaintiffs leave to amend. Shortly thereafter, on April 12, 2024, Kaiser began notifying regulators of the privacy breach.
On May 9, 2024, Plaintiffs filed their Second Amended Class Action Complaint, including additional allegations supporting their previously dismissed claims. Kaiser again moved to dismiss and compel arbitration; however, Kaiser’s motions were effectively set aside following the consolidation of two related cases with the Action. With several overlapping actions pending, KTMC moved for appointment as co-lead counsel, which the Court granted on August 27, 2024.
On December 6, 2024, Plaintiffs filed the operative Consolidated Master Class Action Complaint, again asserting that Kaiser’s disclosure of Kaiser Permanente members’ protected information and communications violated their privacy and rights under the Electronic Communications Privacy Act, 18 U.S.C. § 2510, HIPAA, and various state statutes. On January 28, 2025, Kaiser filed its third Motion to Compel Arbitration and Request to Stay and Motion to Dismiss, which Plaintiffs opposed. The Court granted defendants’ Motion to Compel Arbitration and Request to Stay; however, oral argument on the Motion to Dismiss was taken off calendar after the Parties advised the Court that they had reached a settlement in principle.
On August 19, 2025, Plaintiffs moved for preliminary approval of a $46 million Settlement, which may be increased to $47.5 million if certain conditions are met.