CareNow: Lawsuits target healthcare firms for data breaches

CareNow: Lawsuits target healthcare firms for data breaches

Healthcare Data Breaches Spark Wave of Class Action Lawsuits in Tennessee

A series of class action lawsuits in state and federal courts are targeting major healthcare corporations for exposing patients’ personally identifiable information (PII) and protected health information (PHI).

On June 11, three plaintiffs filed a lawsuit in Davidson County Circuit Court against CareNow, an urgent care provider with over 20 locations in Middle Tennessee and a subsidiary of HCA Healthcare, the nation’s largest for-profit hospital operator. The complaint alleges that CareNow secretly shared patient data with Google and third-party marketing firms via tracking technologies embedded in its online appointment platform. The plaintiffs claim this violated HIPAA laws, allowing advertisers to link patients’ health data with their Google accounts for targeted advertising. The lawsuit details that patients were repeatedly prompted to complete CAPTCHAs until they accepted first-party cookies, enabling Google to track and transmit their data including appointment details, physician names, treatment requests, and IP addresses without consent.

The complaint argues that CareNow knowingly profited from these disclosures, exposing patients to risks such as workplace discrimination and insurance denial. HCA Healthcare has denied the allegations, stating it will vigorously defend its position.

Separately, 12 class action lawsuits were filed in June in the U.S. District Court for the Middle District of Tennessee against XSolis, a Franklin-based healthcare AI company. The suits stem from a January 20 breach in which hackers accessed 1.4 million patients’ PII and PHI, including medical records and Social Security numbers. Plaintiffs allege XSolis failed to encrypt or redact sensitive data, leading to a preventable breach that heightens risks of identity theft and financial fraud. XSolis’ Dragonfly platform, which uses AI to evaluate patient care needs, was reportedly compromised in the attack.

Both cases highlight growing legal scrutiny over healthcare data security and the consequences of unauthorized data sharing.

Source: https://nashvillebanner.com/2026/07/07/hca-healthcare-hipaa-lawsuit-data-breach/

CareNow cybersecurity rating report: https://www.rankiteo.com/company/carenow

"id": "CAR1783427639",
"linkid": "carenow",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'Middle Tennessee, USA',
                        'name': 'CareNow',
                        'size': '20+ locations',
                        'type': 'Healthcare Provider'},
                       {'industry': 'Healthcare',
                        'location': 'USA',
                        'name': 'HCA Healthcare',
                        'size': "Nation's largest for-profit hospital operator",
                        'type': 'Hospital Operator'},
                       {'customers_affected': '1.4 million patients',
                        'industry': 'Healthcare Technology',
                        'location': 'Franklin, Tennessee, USA',
                        'name': 'XSolis',
                        'type': 'Healthcare AI Company'}],
 'attack_vector': ['Tracking Technologies', 'Third-Party Access'],
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '1.4 million',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['PII',
                                              'PHI',
                                              'Medical Records',
                                              'Social Security Numbers']},
 'date_detected': '2024-01-02',
 'date_publicly_disclosed': '2024-06-11',
 'description': 'A series of class action lawsuits in state and federal courts '
                'are targeting major healthcare corporations for exposing '
                'patients’ personally identifiable information (PII) and '
                'protected health information (PHI). CareNow, a subsidiary of '
                'HCA Healthcare, is accused of secretly sharing patient data '
                'with Google and third-party marketing firms via tracking '
                'technologies. XSolis, a healthcare AI company, faced a breach '
                "exposing 1.4 million patients' PII and PHI due to unencrypted "
                'data.',
 'impact': {'brand_reputation_impact': ['Workplace Discrimination Risk',
                                        'Insurance Denial Risk'],
            'data_compromised': ['PII',
                                 'PHI',
                                 'Medical Records',
                                 'Social Security Numbers',
                                 'IP Addresses',
                                 'Appointment Details',
                                 'Physician Names',
                                 'Treatment Requests'],
            'identity_theft_risk': True,
            'legal_liabilities': ['Class Action Lawsuits', 'HIPAA Violations'],
            'systems_affected': ['Online Appointment Platform',
                                 'Dragonfly AI Platform']},
 'motivation': ['Financial Gain', 'Unauthorized Data Monetization'],
 'post_incident_analysis': {'root_causes': ['Lack of Encryption',
                                            'Inadequate Data Redaction',
                                            'Unauthorized Data Sharing']},
 'references': [{'source': 'Class Action Lawsuit Filing'}],
 'regulatory_compliance': {'legal_actions': ['Class Action Lawsuits'],
                           'regulations_violated': ['HIPAA']},
 'response': {'communication_strategy': ['Denial of Allegations']},
 'title': 'Healthcare Data Breaches Spark Wave of Class Action Lawsuits in '
          'Tennessee',
 'type': ['Data Breach', 'Unauthorized Data Sharing'],
 'vulnerability_exploited': ['Lack of Encryption',
                             'Inadequate Data Redaction',
                             'Unsecured Data Transmission']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.