HIPAA Violations at Verily Signal Deeper Risk for Health Tech Compliance

A recent lawsuit against Verily has reignited concerns about whether health technology firms can consistently meet the operational demands of privacy law. The case, filed by former Verily executive Ryan Sloan, alleges that the company concealed multiple violations of the Health Insurance Portability and Accountability Act (HIPAA), impacting more than 25,000 patients. If substantiated, these claims expose not only lapses in internal governance but also structural weaknesses in how emerging digital health platforms manage regulatory accountability.

Verily, a subsidiary of Alphabet operating within its “Other Bets” portfolio, has positioned itself as a precision health innovator. The company has shifted repeatedly across product strategies, from glucose monitors to COVID-19 testing to AI-powered care navigation. But the HIPAA violations alleged in court filings predate many of those pivots and focus instead on a legacy business line: Onduo, Verily’s digital chronic disease management program.

At the core of the dispute is a pattern of alleged HIPAA noncompliance and subsequent concealment, including the unauthorized use of protected health information (PHI) in marketing, conferences, and press materials. The internal investigators cited in the complaint reportedly confirmed violations of 14 separate Business Associate Agreements with major clients between 2017 and 2021. Among the organizations potentially affected are Walgreens Boots Alliance, Highmark Health, Quest Diagnostics, and Delta Air Lines.

Governance Challenges in Commercial-Scale Health Tech

While high-profile HIPAA cases often involve provider systems or insurers, this case centers on a third-party technology vendor contracted to support care delivery through digital platforms. Under HIPAA, these vendors, classified as business associates, are bound to the same data privacy and security rules as covered entities. That includes requirements to notify affected parties of any breach within 60 days of discovery.

The lawsuit alleges Verily delayed notification and continued to negotiate new contracts without disclosing prior breaches. According to the filing, internal executives resisted reporting requirements on the grounds that disclosure would cause reputational damage. The timing of these decisions, as well as the termination of employees who reportedly raised concerns, presents a risk exposure that extends beyond a single compliance lapse.

This dynamic reflects a broader governance challenge in commercial health tech. Companies operating at the intersection of data science and care coordination often scale more quickly than their privacy frameworks. The pace of partnership formation, product iteration, and external marketing frequently outpaces internal controls. Even with standard agreements in place, data use boundaries can become blurred across research, analytics, and promotional activities.

The Burden of Oversight and the Limits of Arbitration

Federal regulators have issued repeated warnings about weak compliance infrastructure within private-sector healthcare startups. In a 2022 report, the Office for Civil Rights (OCR) emphasized that enforcement actions against business associates had increased as digital health vendors assumed more responsibility for direct patient engagement.

While the Verily case is not yet adjudicated, its contours raise questions about how disputes involving HIPAA violations are managed internally and resolved externally. The court’s recent decision to reject Verily’s request for private arbitration allows the case to proceed in public view. That shift places both the company’s practices and the broader ecosystem of health tech privacy under greater scrutiny.

The implications extend to contract structuring, risk disclosure protocols, and pre-emptive auditing practices. Health systems and insurers that rely on digital care platforms must now consider how well those partners enforce privacy compliance, not just at the point of onboarding but across the life of the contract.

Strategic Reputation at Risk

The reputational cost of a HIPAA violation is not confined to fines or settlements. For health tech firms that rely on long sales cycles, trust-based marketing, and deep integration into care workflows, even the perception of regulatory risk can curtail growth. This is particularly true for business models that depend on access to large patient datasets for AI development, predictive modeling, or clinical decision support tools.

Verily has been through multiple rounds of restructuring in recent years and is reportedly preparing to transition into a C-Corp structure to attract new investment. That effort may be complicated by the disclosure obligations associated with ongoing litigation. Investors in health tech have grown more cautious following high-profile compliance failures across the sector. Public and private buyers alike are increasingly focused on whether platform companies can meet not just their technical promises but also their regulatory obligations.

The case also serves as a signal to competing firms, including companies like Doximity, where former Verily executives now hold senior leadership roles. The portability of leadership talent across health tech makes it imperative that data governance practices travel with them, or be clearly severed when compliance standards are breached.

Implications for Health System Partnerships

For health system CIOs, digital strategy officers, and compliance leaders, the lawsuit is a reminder that vendor selection is not the endpoint of risk evaluation. Ongoing auditing, incident reporting requirements, and third-party breach response coordination must be built into operational protocols. Business Associate Agreements, while legally binding, are not self-enforcing. Without internal escalation pathways and external accountability mechanisms, even large-scale compliance breaches can remain unreported for years.

As data becomes the infrastructure of care delivery, the cost of weak oversight grows. Health systems that have outsourced key functions to digital vendors must evaluate whether those partners can sustain the operational maturity required for HIPAA compliance. And for vendors, the standard is no longer technical capability alone. It is governance at scale, transparency under pressure, and an ability to withstand public examination when the stakes are highest.