Image: CareNow, which operates more than 20 urgent care centers across Middle Tennessee, is the subject of a lawsuit that alleges the company provided patients’ confidential personal information to marketing and advertising companies. Image Credit: Martin B. Cherry / Nashville Banner
A class action suit alleges that HCA divulged “a trove” of patients’ personal information to Google and other companies for its own profit.
Image Credit: Martin B. Cherry / Nashville Banner
***Note from The Tennessee Conservative – this article posted here for informational purposes only.
This story was originally published by the Nashville Banner. Sign up for their newsletter.
by Mikeie Honda Reiland [The Nashville Banner, Creative Commons] –
A suite of recent class action lawsuits in state and federal courts seeks to hold large healthcare corporations accountable for exposing or leaking patients’ personally identifiable information (PII) and protected health information (PHI).
On June 11 in Davidson County Circuit Court, three Jane Does filed suit against CareNow, which operates more than 20 urgent care centers across Middle Tennessee and is owned by HCA Healthcare, Nashville’s second-largest employer and the nation’s largest for-profit hospital operator. According to the Nashville Business Journal, HCA employed 27,000 people in Middle Tennessee at the end of 2025.
Per the complaint, CareNow “surreptitiously” divulged “a trove of PII” to Google and third-party marketing and advertising companies for its own profit by using tracking technologies when patients scheduled appointments online through CareNow’s platform. The plaintiffs allege that this information allowed Google and the other companies to — in violation of HIPAA laws — identify the patients by linking them with their Google accounts and “exploit their health information for advertising purposes.”

“Defendant did all this knowing it constituted a violation of HIPAA and state law, for the purpose of reaping the illicit financial gains from its criminal and tortious disclosures of patients’ PHI,” the complaint reads.
According to the complaint, when visiting CareNow’s appointment-making website, patients were repeatedly prompted to complete a CAPTCHA until they allowed first-party cookies — data files that remember your preferences as you browse a website. This requirement allowed the website to deposit Google cookies on patients’ devices, track their information and relay it to third-party marketing organizations without patients’ consent. On its website, Google mentions that Google Analytics is not usable for certain HIPAA-bound entities.
“Information about a person’s physical and mental health is among the most confidential and sensitive information in our society,” the complaint reads, “and the mishandling of medical information can have serious consequences including, but certainly not limited to, discrimination in the workplace or denial of insurance coverage.”
The complaint alleges that CareNow disclosed, at minimum, the following information about patients:
- Their patient status
- Their use of CareNow’s appointment-making website
- Their appointment scheduling
- The names of their physicians
- Their appointment information, including requests for, receipt of and communication surrounding their treatment and the reason for the appointment
- Their physical location
- Their searches for information around medical providers
- Patients’ IP addresses
Third-party companies can use this information to perform “ID bridging,” the process of piecing together a user’s identity, which the complaint described as a “money-making machine for advertisers and app developers” because it helps them find people who want to buy their specific products. Beyond advertising, this process can also lead to political targeting.

Reached for comment, HCA provided the following statement:
“We disagree with the allegations that have been made, and we plan to defend them aggressively through the legal process.”
Additionally, throughout June, 12 lawsuits were filed in U.S. District Court for the Middle District of Tennessee as part of a class action complaint against XSolis. This Franklin-based healthcare company provides artificial intelligence-driven software for managing and evaluating patient records. The company’s Dragonfly platform uses AI to continuously assign and update scores that reflect the level and medical necessity of each patient’s required care.
Per the complaints, on Jan. 20, hackers breached the company’s network. They accessed patients’ PII and PHI, including medical treatment information and Social Security numbers, posing a risk of identity theft and financial fraud. The plaintiffs argue that XSolis failed to encrypt or redact their data, negligence that resulted in a “foreseeable, preventable” data breach.
The breach has affected approximately 1.4 million patients nationwide.


One Response
Hope the patients prevail.