Sutter's AI Scribe Just Got Sued. You Use the Same Tool.

You're a solo psychiatric nurse practitioner. Your AI scribe is running on your laptop right now, listening to a patient session. You signed the vendor's contract when you onboarded. You're confident the audio is encrypted. You're confident your patient information is protected.

Last month, that exact scenario stopped being theoretical for three California health systems.

On April 7, 2026, plaintiffs filed a class action complaint in the Northern District of California against Sutter Health, Memorial Health Services, and Memorial Care Medical Foundation. The complaint alleges that the three health systems used an AI scribe product to record clinician-patient conversations during medical visits without giving patients clear notice that the recording was happening, that it was being transmitted to external servers, or that it was being processed by a third-party AI vendor.

The lawsuit's legal theory is worth understanding, because it bypasses the protections most clinicians assume they have.

The claims are not about HIPAA. They're about wiretap.

The plaintiffs allege that the recording itself — the moment audio starts flowing from a microphone in the exam room to the AI vendor's servers — is what the law restricts. Under California's Invasion of Privacy Act and the federal Wiretap Act, recording a private conversation without all parties' consent is the subject of statutes in roughly a dozen states, regardless of what's done with the audio later. California's Confidentiality of Medical Information Act adds another layer: medical recordings have their own specific consent requirements, in their own specific format, with their own retention rules.

Your vendor's standard contract addresses information protection — it says the vendor will protect the audio after they receive it. That contract does not address whether the patient agreed to the audio being recorded in the first place. Two different problems. Two different legal frameworks. One contract covers one. The other is on you.

Issue No. 01 of this newsletter was about vetting your AI scribe vendor. That covered the vendor's side: do they have the security work in place, do they sign the right contracts, do they delete audio on a defined schedule. This issue is about a separate question: at the moment the recording starts, is your patient knowingly and clearly agreeing to be recorded by an AI tool?

Here's how the gap typically shows up in solo or small-group practice.

Your intake form has a consent-to-treatment section. It mentions email communication. It might mention telehealth video. It almost certainly does not mention that an AI-powered transcription tool will be listening to the visit, transmitting audio to a third-party cloud server, generating a clinical note, and retaining that audio for some period of time. The patient signed the consent. The consent did not cover the actual recording. A plaintiff firm in an all-party-consent state could argue that this describes the kind of fact pattern wiretap statutes were designed to cover.

The states matter. Roughly a dozen are "all-party consent" — meaning every person in a recorded conversation must affirmatively agree to the recording: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, Washington. (One-party states require only one person — typically the patient or the clinician — to consent, which is usually a lower bar.) If you practice in an all-party state and your patient hasn't affirmatively agreed to AI recording, you are operating in the legal gap the new complaint is testing.

This is not abstract. A solo nurse practitioner using an AI scribe in California faces the same statutory damages structure as Sutter Health. California's wiretap statute allows $5,000 per violation. The federal Wiretap Act allows $100 per day or $10,000 per violation, whichever is greater. Recordings happen per visit. Statutory damages can stack per recording. The math becomes uncomfortable quickly.

What to do this week, in three steps.

One. Pull your AI scribe vendor's standard patient consent template — most vendors provide one. Read it the way a plaintiff firm would read it. Does it say, in plain language, that an artificial intelligence tool will record the conversation, that the recording will be transmitted to the vendor's servers, that the recording will be retained for a specified period, and that the patient agrees to all of this in advance? If any of those elements is implicit, vague, or missing, the consent has a gap.

Two. Check your state. If you practice in any of the all-party-consent states listed above, the bar is higher — you need every adult in the room (patient plus any spouse, caretaker, family member, advocate present) to affirmatively agree to the recording. If you practice in a one-party state, the bar is lower, but a clearly documented patient consent is still your best defense.

Three. Add the consent language to your intake form and your visit consent. The recording-authorization should be a distinct, separate, signed acknowledgment — not buried inside a general consent. A separate paragraph or signature line that the patient initials makes the consent specific and dated, which is what statutory damages math depends on.

You don't need to abandon your AI scribe. The clinical efficiency case is real — documentation time drops, after-hours charting drops, burnout drops. The fix is to add the consent layer that closes the gap. Three California health systems are showing us what happens when that layer is missing.

Brad