Kaiser Member Seeks National Class Over Microsoft Tracking

Kaiser Permanente already paid for its tracking habit once. Now the lawsuit aimed at the technology companies on the other end of the wire has reached its most dangerous stage. A Kaiser member known as Jane Doe has asked a federal judge in Seattle to certify a series of national classes and California subclasses in her privacy suit against Microsoft and Qualtrics, the firms whose code allegedly sat inside Healthy.KaiserPermanente.org and quietly harvested what patients searched, watched, and read about their own medical conditions.

If Judge John C. Coughenour grants the motion, two of the world's largest software vendors would face classwide liability for health data interception, a question that until now has mostly been settled quietly by the hospitals themselves.

Key Takeaways

• Jane Doe, a Kaiser Permanente member, moved on June 8, 2026 to certify national classes and California subclasses in the US District Court for the Western District of Washington.
• Microsoft's software development kit and Qualtrics' Site Intercept tool allegedly captured page URLs, search terms, prescription details, medical conditions, immunization records, and allergy lists from Kaiser's website.
• Judge John C. Coughenour let the core claims survive dismissal in December 2023, including invasion of privacy, unjust enrichment, California Unfair Competition Law violations, and parts of CIPA section 631(a).
• This case is separate from Kaiser's own settlement of up to roughly $46 million over pixels that sent 13.1 million patients' data to Google, Bing, and X.
• The motion targets the vendors that received the data, not the health system that installed the trackers, a shift that could reshape who answers for health data interception.

What Does the Class Certification Motion Ask For?

It asks Judge Coughenour to let one plaintiff stand in for millions. According to Law360's June 8, 2026 report, the Kaiser member called on the court to greenlight a series of national classes plus California subclasses covering patients whose private health information was allegedly intercepted through tracking technologies embedded in the health system's website.

Class certification is the hinge of any case like this. Individually, one patient's intercepted browsing history is worth little in court. Aggregated across millions of Kaiser members, the same conduct becomes an existential damages number, which is why certification fights are where defendants spend their heaviest ammunition. Microsoft and Qualtrics, represented by firms including Davis Wright Tremaine and Wilson Sonsini, will now get their chance to argue that the proposed classes cannot hold together.

How Did Microsoft and Qualtrics Allegedly Get Patient Data?

Through their own code running inside Kaiser's website. The complaint, filed May 15, 2023, alleges that a Microsoft software development kit and Qualtrics' Site Intercept tracking tool were embedded in Healthy.KaiserPermanente.org and "vacuumed up" visitor data without knowledge or consent, according to ClassAction.org's summary of the complaint.

The list of allegedly intercepted data is not abstract metadata. It includes the URLs of each page visited, search terms, videos viewed, prescription details, medical conditions and records, immunization information, and allergy lists. That is the kind of information patients assume stays between them and their doctor, captured at the moment they typed it into a health portal.

None of this is unusual in American healthcare, which is the uncomfortable part. A study of hospital websites found tracking code transmitting visitor data on a staggering share of pages; we covered the numbers in the hospital tracking pixel breach study. What is unusual here is who is being sued.

Which Claims Survived to Reach This Point?

The core privacy claims are intact. On December 19, 2023, Judge Coughenour largely denied the companies' motions to dismiss, allowing Doe to advance claims for invasion of privacy under the California Constitution, intrusion upon seclusion, unjust enrichment, violations of the California Unfair Competition Law, and portions of her claim under section 631(a) of the California Invasion of Privacy Act, per the American Health Law Association's case analysis. A Computer Fraud and Abuse Act claim and a few others were dismissed.

The surviving CIPA wiretapping theory matters beyond this courtroom. Section 631 is the same statute driving hundreds of interception suits against trackers across California, including a fast growing wave aimed at email senders, which we documented in the CIPA email tracking lawsuit wave. The full docket history is available on CourtListener.

Is This the Same Case as Kaiser's $46 Million Settlement?

No, and the distinction is the story. Earlier in 2026, Kaiser itself agreed to pay up to roughly $46 million to resolve claims that tracking pixels on its websites and apps sent 13.1 million patients' data to Google, Bing, and X over roughly seven years. We covered that settlement in detail in Kaiser's tracking pixel settlement. That case targeted the health system that installed the trackers.

Doe v. Microsoft flips the aim. It goes after the technology vendors that built the tracking tools and received the data, arguing they are liable for the interception itself. Kaiser is not a defendant. If national classes are certified against Microsoft and Qualtrics, every analytics and survey vendor whose code sits inside a hospital website inherits the same exposure, regardless of what the hospital agreed to pay.

The interception model at issue should sound familiar to anyone who has read about email tracking. An invisible piece of code, planted where you cannot see it, reports your behavior to a third party the instant you act. That is precisely how tracking pixels work inside marketing email: opening a message fires a hidden request that tells the sender, and often their analytics vendors, when, where, and on what device you read it. The courtroom labels change; the architecture does not.

What Happens Next, and What Should Patients Do?

Microsoft and Qualtrics will oppose certification, and Judge Coughenour's ruling will likely take months. A certified national class would put enormous settlement pressure on both companies; a denial would shrink the case to a handful of individual claims. Either way, the ruling will be read closely by every vendor whose trackers touch health data.

In the meantime, patients can act on their own. Treat health portals like sensitive infrastructure: avoid searching symptoms while logged in if you can, review the portal's privacy notices for third party analytics disclosures, and use a browser with tracker blocking when accessing any medical website. Kaiser members who used the patient portal between 2017 and 2024 should also check whether they qualify for the separate Kaiser settlement before its claims deadline.

And remember that the same surveillance follows you out of the portal and into your inbox. Healthcare providers, insurers, and pharmacies send marketing email with embedded tracking pixels just like retailers do. Blocking those trackers at the browser level closes the loop the lawsuits are still arguing about.

Sources: Law360, ClassAction.org, American Health Law Association, and CourtListener docket for Doe v. Microsoft Corp..