The Lawsuits Over AI in Healthcare Have Reached California's Exam Rooms

1. It started in the exam room

The most important development for community health centers is also the newest. Sharp deployed the Abridge ambient AI scribe around April 2025 — a tool that listens to the visit, transcribes it, and drafts the clinical note. The November 2025 complaint alleges it recorded the patient's exam and sent the audio to the vendor's cloud without his consent, and that the chart carried boilerplate language saying he'd been advised and consented when, he says, no one ever asked.

Then it spread. In April 2026, patients filed a second class action — Washington v. Sutter Health, joined with MemorialCare, in the Northern District of California (No. 4:26-cv-03012) — again naming Abridge, again alleging the scribe intercepted intimate medical conversations without consent. Two California cases in five months, naming a vendor that community health centers across the state already run, is not a coincidence. It is a pattern.

Here is why this lands on FQHCs specifically. California's Invasion of Privacy Act (CIPA) is an all-party-consent statute: a confidential conversation can't be recorded unless everyone agrees. The plaintiffs' theory is brutally simple — recording a patient visit and sending the audio to a vendor for transcription is an interception, full stop, and it needs the patient's consent. Abridge, Suki, Sunoh.ai, and Nabla are deployed widely across community health centers, often inside OCHIN Epic. The risk isn't the technology; it's the consent. And the Sharp complaint's sharpest allegation — that the chart falsely documented consent — is a warning against exactly the after-the-fact, boilerplate 'consent' that's easiest to fall into.

Worried this is only about clinical tools? A parallel consolidation, In re Otter.ai Privacy Litigation in the Northern District of California, shows the same mechanics — auto-record, build a voiceprint, train on the conversation, capture non-consenting bystanders — applied to a general notetaker. Malpractice carriers now flag the scribe-recording-consent problem as the near-term liability, ahead of any documentation-error claim. The fix is operational, not technological: capture genuine, documented, all-party consent at the point of care, and don't rely on portal boilerplate.

2. The algorithms that say no

The highest-dollar AI litigation isn't about scribes — it's about denial. And its flagship case is Californian. In Kisting-Leung v. Cigna (Eastern District of California, No. 2:23-cv-01477), insureds allege Cigna's 'PxDx' system batch-denied claims without genuine review — reporting found physicians denied hundreds of thousands of claims in two months at about 1.2 seconds each. In March 2025 the court rejected Cigna's 'discretionary authority' defense and let the bad-faith and Unfair Competition Law claims proceed.

The national companion is 'nH Predict,' the NaviHealth algorithm at the center of suits against UnitedHealth (Estate of Lokken) and Humana (Barrows) for cutting off Medicare Advantage post-acute care. The 2026 headline: a magistrate ordered UnitedHealth to disclose how the algorithm actually works — the first real look inside a denial engine — after the plaintiffs alleged a roughly 90% reversal rate on appeal.

For an FQHC, this front is the receiving end — and California has handed you a tool. SB 1120, the 'Physicians Make Decisions Act', effective January 1, 2025, codifies the plaintiffs' exact theory: a health plan may not let AI deny, delay, or modify care based on medical necessity — only a licensed physician may, based on the patient's own record. When a Medi-Cal managed-care plan denies your prior auth, the state's guidance says a qualified human must own that decision. Make your revenue-cycle team demand it, and escalate suspected algorithmic denials to DMHC or CDI. The federal floor (CMS's Medicare Advantage rule) says the same thing.

3. California's $5,000 problem

Why is California the epicenter? One number: $5,000. That's CIPA's statutory damages per violation — per patient, per recording — with a private right of action and, in state court, no requirement to prove concrete injury. Multiply it across a patient panel and the exposure becomes existential fast. It is the single most important fact on this page, and the calculator below makes it concrete.

It is no longer theoretical. In August 2025, a San Francisco jury found Meta liable under CIPA for intercepting reproductive-health data from the Flo app — the first trial verdict of this wave, with exposure Meta itself called 'multiples of billions.' The flagship provider case, In re Meta Pixel Healthcare Litigation in the Northern District of California, has survived two motions to dismiss and is in the class-certification stage (note: a separate Meta Pixel *tax* case had certification denied in 2026 — not this healthcare matter).

And the settlements are real. Kaiser Permanente agreed to pay up to $47.5 million over tracking pixels on its patient portals, tied to a 13.4-million-person breach — the largest ever from tracking technology. But the number an FQHC should watch is smaller: MarinHealth, a California community hospital, settled for $3 million, and Eisenhower Medical Center for $875,000. Those are the size analogs — not the giants.

Two cross-currents matter. The Ninth Circuit's Popa v. Microsoft (August 2025) raised the bar for generic-metadata CIPA cases — but plaintiffs respond by pleading genuinely health-specific data, which puts healthcare defendants on the wrong side of the new line. And after AHA v. Becerra (2024) vacated part of OCR's tracking-tech guidance, HIPAA may not reach pixels on your *public* pages — but CIPA and CMIA still do, and trackers on your *authenticated* patient portal remain squarely within HIPAA. The practical move: audit every third-party tag on your site and portal, and consent-gate or remove anything on a health-topic page.

4. The dog that hasn't barked

Here's the surprise. Despite years of documented failures of clinical AI — IBM Watson for Oncology's unsafe recommendations, and the Epic Sepsis Model, which an independent validation found caught only about a third of sepsis cases — there is still no docketed lawsuit naming a diagnostic or decision-support AI as the cause of a patient's injury. The dog hasn't barked.

Why not? Three doctrines converge. The learned-intermediary rule routes blame to the clinician who signed off, so the case is filed as ordinary malpractice and the AI never appears as a defendant. FDA preemption shields cleared device makers from state tort claims. And causation through a black box — proving the AI, not the treating team's judgment, caused the harm — is extraordinarily hard. The precedent that could crack this open isn't from health care at all: Garcia v. Character Technologies, where a court held an AI system can be a 'product' subject to strict liability — the doorway a future clinical-AI product-liability claim would walk through.

So what's the real clinical-AI risk for an FQHC today? Being the backstop. The clinician who signs the AI-drafted note owns its accuracy, the coder who accepts an AI-suggested code owns the claim, and the medical director who deploys an unvalidated risk model owns the fallout. The lesson the Epic Sepsis Model teaches isn't fear of lawsuits — it's procurement diligence: demand prospective validation before you deploy.

5. The rulebook is already written

Lawsuits grab headlines, but for an FQHC the binding obligations are the real story — and California has already written them. AB 3030 requires a disclaimer and a path to a human when generative AI sends patients clinical communications — unless a licensed provider reviews the message first (the practical safe harbor). AB 489 bars AI from implying it's a licensed clinician. And the Attorney General's January 2025 healthcare advisory warns that AI in care, scheduling, and billing must already comply with existing law — and that a 'neutral' tool can still violate it through disparate impact.

The federal layer binds you too. Section 1557's §92.210 requires entities receiving federal funds — FQHCs squarely included — to identify and mitigate discrimination in clinical decision-support tools, even simple ones like a race-corrected risk calculator. (Federal enforcement posture is in flux, but California's own civil-rights laws impose a nearly identical duty regardless.) And the DOJ has flagged AI-assisted upcoding as a False Claims Act priority — meaning a clinician must review and attest to AI-generated codes before you bill.

Notice the through-line. A human-in-the-loop — a licensed clinician reviewing AI output before it goes out — is the master control. It satisfies AB 3030's exemption, protects medical-necessity integrity under SB 1120 and CMS rules, defends against False Claims Act exposure, and supports your Section 1557 duty. One discipline, four legal regimes. Vendors are in the crosshairs too: the Texas Attorney General's settlement with Pieces Technologies over unsubstantiated accuracy claims was the first AG action against a health-AI vendor, and California's AG can do the same under the Unfair Competition Law — so get any 'accuracy' or 'hallucination rate' a vendor advertises defined and substantiated in writing.

6. What to do Monday morning

You don't need to be a defendant to act. Six moves, in rough priority order:

• **Audit your website and portal for third-party tags.** Inventory every pixel, chat widget, scheduling tool, and analytics script. Remove or consent-gate anything on a health-topic page or your patient portal. This is the highest-frequency, highest-dollar CIPA risk.
• **Lock down ambient-scribe consent.** Before any Abridge/Suki/Sunoh/Nabla recording, capture documented all-party consent at the point of care — a real verbal script, not boilerplate the chart auto-fills. Train front desk and clinicians.
• **Route AI-drafted clinical messages through a clinician** to use AB 3030's safe harbor — and make sure no patient-facing AI implies it's a licensed clinician (AB 489).
• **Use SB 1120 on denials.** Train your revenue-cycle team to demand the qualified-human attestation on Medi-Cal MCO and insurer medical-necessity denials, and escalate suspected algorithmic denials to DMHC or CDI.
• **Stand up a decision-support inventory + bias file.** Section 1557 and the AG advisory both require it. List every algorithm and risk score, flag any using protected-class inputs, and document mitigation — with special attention to your limited-English-proficiency patients.
• **Make vendor diligence a contract gate.** Require AB 2013 training-data disclosures, a BAA covering any training or secondary use, defined and substantiated accuracy metrics, and indemnification for CIPA/privacy claims before you deploy.