The AI Broke the Law. You're the Defendant.
An AI scribe recorded three patients without consent and the hospital that signed the contract is being sued, not the vendor that built it.
On April 7, 2026, three patients filed a putative class action in the Northern District of California against Sutter Health, Memorial Health Services, and MemorialCare Medical Foundation. The complaint says that when they went in to see their doctors, a microphone-enabled device in the exam room captured the conversation, sent the audio to servers outside the clinic, transcribed it, ran it through a model that drafted a clinical note, and deposited that note in their medical record. Nobody, they allege, told them clearly that any of this was going to happen.
The product is what the industry calls an ambient clinical documentation tool, or an AI scribe, and the one at issue is built by Abridge AI, Inc. By the measures health systems actually buy on, the AI scribe works. One study found tools in this category cut documentation time by a median of 2.6 minutes per appointment and reduced after-hours charting by 29.3 percent, and if you’ve ever watched a physician finish her notes at ten at night, you understand why a hospital would sign that contract quickly.
The complaint isn’t quiet about Abridge’s role. Alston & Bird’s privacy team, reading the filing, noted that the transmission of confidential medical information to external servers, and its retention and processing by an external technology provider, is a key component of the legal theory. The vendor’s conduct is load-bearing. The vendor’s name is all over the pleading. And when the damages get counted, the vendor won’t be in the room because the people who will answer for what that system did are the health systems that decided to let it listen.
What the law thinks happened, and when
The bellwether claims are under California’s Invasion of Privacy Act, the federal Wiretap Act, and California’s Confidentiality of Medical Information Act. All three are old statutes, none of them were written with a language model in mind, and all three turn out to fit uncomfortably well.
The mechanism worth understanding is the timing. The plaintiffs argue the violation occurs at the moment of interception, when the live conversation is captured, and not later when the data is stored or used or disclosed. That single move relocates the legal event to a place most compliance programs aren’t looking. A security review asks whether the data was encrypted at rest, whether a business associate agreement was executed, whether the vendor holds a SOC 2. Those are all questions about what happens after the recording exists. The complaint says the harm was already complete before any of that mattered.
California is an all-party consent state, so everyone in the conversation has to agree to be recorded, and in an exam room that means the patient, and quite possibly the spouse or the adult child or the caregiver sitting in the corner. HIPAA doesn’t paper over this, because these statutes impose consent obligations that run separately from it. CMIA is specific enough about what a valid authorization looks like that it prescribes a font size, which tells you the legislature was picturing a piece of paper and a person’s eyes, rather than a microphone that has already been listening for eleven seconds.
Statutory damages here can be assessed per violation, which in practice may mean per encounter. A health system that ran this tool across a large patient population for a year has an exposure number that isn’t a function of how badly the AI performed. It’s a function of how many times the door closed and the visit began. Plaintiffs’ firms learned to run this math during the cookie and pixel litigation that hit hospital websites, and they are using the same statutes now.
The second half of the sentence
So the buyer holds the liability. Then the question becomes what the buyer can do about it, and there are conventionally two answers. You push the risk back to the vendor in the contract, or you insure it. Both of those doors have been closing, and they’ve been closing quietly enough that most of the people responsible for walking through them haven’t noticed.
On the contract side, the pattern is well documented by the lawyers who read these agreements for a living. Jones Walker’s AI practice describes it as a squeeze: courts are expanding vendor accountability at the same time vendor contracts are aggressively shifting risk onto the customer. Liability caps in AI agreements tend to be tight, and they tend to be pegged to fees paid rather than to harm caused, which means the ceiling on your recovery is a function of your subscription tier. Whether that survives contact with a per-encounter statutory damages claim is a question no one has answered yet.
On the insurance side, Verisk’s Insurance Services Office, which writes the standardized forms most of the American property and casualty market runs on, introduced a set of generative AI exclusions for commercial general liability policies effective January 2026. The broad one is CG 40 47, the Generative Artificial Intelligence Exclusion, and it bars coverage under both Coverage A and Coverage B for harms linked to generative AI outputs. CG 40 48 is narrower and reaches only personal and advertising injury. CG 35 08 does the same work inside products and completed operations.
These are optional endorsements, so they aren’t automatically on your policy, and the carrier has to choose to attach them. But they exist now, they have form numbers, and they are sitting in the underwriting toolkit during a renewal cycle in which every carrier is nervous about AI. The person who decides whether CG 40 47 shows up on your policy is not in your procurement meeting, and probably has never spoken to you.
Put the two together. The vendor caps what it owes you at what you paid it. The insurer, if it chooses, excludes the loss entirely. What’s left in the middle is a liability that nobody contracted for and nobody underwrote, and it sits with the institution that bought the tool because it wanted its doctors to get home before ten.
Why diligence didn’t catch it
I don’t think anyone at Sutter was careless. I think they ran the review they knew how to run, and the review they knew how to run was built for a different kind of software.
The questions we’ve been trained to ask are about custody and security. Where does the data rest, who can access it, is it encrypted, is there a BAA, has the vendor been audited. Those questions assume the risky moment is the storage of the data, because for thirty years it was. What ambient AI does is move the risky moment upstream, to the acquisition of the data, and there is no line on a standard vendor security questionnaire that asks at what instant does this system begin collecting, and what body of law governs that instant.
What I don’t have answers to
Whether CG 40 47 would even apply here is genuinely unclear to me. The exclusion reaches harms linked to generative AI outputs, and the plaintiffs’ whole theory is that the violation was complete at interception, before anything was generated. A careful coverage lawyer could argue the recording isn’t an output at all. I suspect some of the first fights over these endorsements will be exactly that argument, and I don’t know how they will come out.
I also don’t know whether naming vendors as defendants would improve anything. It’s satisfying to say Abridge should be in the caption. It’s less obvious that the resulting settlements wouldn’t simply be priced back into the subscription, which would leave the buyer paying for the vendor’s liability with extra steps.
Suppose the health systems had handed every patient a form. A person in a paper gown, waiting to hear what the scan showed, is not positioned to negotiate the terms of her own recording. She’d sign it. We’d call it consent, and it would be closer to compliance, which is a distinction I’ve written about before and still don’t have a clean fix for.
What to do
Ask your vendors where the data physically goes, and get the answer as a contract exhibit rather than a slide. Subprocessors, jurisdictions, retention windows, and whether any of it trains a model.
Ask when the legally significant event occurs in the system you’re buying. If the answer is “at collection,” your security review is pointed at the wrong moment.
Read your limitation of liability against your realistic exposure rather than against your contract value. If the governing statute assesses damages per encounter, multiply by encounters, and see whether the cap is a cap or a rounding error.
Call whoever owns your organization’s insurance, which for most of us is a person in finance we email twice a year, and ask a specific question: are CG 40 47, CG 40 48, or CG 35 08 on our renewal. Ask before you sign the AI contract, not after.
And check whether you operate in an all-party consent state, because if you do, the compliance work isn’t about the data. It’s about the moment the microphone turns on.
Those five checks are the short version of a longer document. The full sheet, Eight Clauses That Shift AI Liability Onto You, walks through each clause pattern as you’ll actually encounter it in vendor paper, why it hurts, and the replacement language to demand, formatted as a printable you can hand to whoever reads your contracts.
Rachel Ankerholz is an IT Director and writer exploring the intersection of AI ethics, accessibility, and human-centered technology. She writes about who gets included, and who gets left behind, when we build systems.


