Data collection, sale claims can move forward against hospital
Correy E. Stephenson, Special to Missouri Lawyers Media//March 12, 2026//
Summary:
- The Missouri Court of Appeals, Western District ruled sovereign immunity does not bar patients’ data privacy claims against a hospital board.
- Patients allege the hospital website secretly used tracking tools from tech companies to collect and share sensitive health information.
- The court found the alleged data collection and disclosure could be considered proprietary activity, not a governmental function.
- Claims based on criminal statutes for computer tampering and identity theft were dismissed, but other privacy and duty-based claims may proceed.
The doctrine of sovereign immunity does not bar claims by patients alleging that a hospital violated a variety of common law and statutory duties by surreptitiously collecting their personal data while the patients were using the hospital’s website and online patient portal and disclosing it to third parties, the Western District Court of Appeals ruled on March 3.
North Kansas City Hospital is operated by a Board of Trustees. Pursuant to a management agreement, the Board and Meritas Health Corporation maintain a website for the hospital and a patient portal accessible through the site.
The hospital’s website contains a privacy policy that states it does not collect personally identifying information when patients visit the site and proclaims that the hospital never sells or rents patients’ information to third parties.
In addition to violations of the policy, the five patients who filed suit alleged that the Board and Meritas have common law, statutory and regulatory obligations to maintain the confidentiality of their personal healthcare-related information and to use that information solely for the purpose of providing healthcare services to patients.
According to the complaint, the Board and Meritas embedded tracking devices on the hospital’s website and patient portal developed by commercial technology companies including Facebook, Google, YouTube and Microsoft. The tracking devices collect sensitive and personal healthcare-related information, the plaintiffs claimed, such as medical history, insurance coverage, health concerns and personally identifiable information, and disclose this data to third parties, sometimes in real time.
The Board moved to dismiss based on sovereign immunity and the circuit court granted the motion, finding that the Board’s challenged actions involved governmental rather than proprietary functions. The patients appealed.
Writing for the panel, Judge Alok Ahuja affirmed in part and reversed in part, joined by Chief Judge Anthony Rex Gabbert and Judge James M. Dowd.
Although it recognized that the distinction between “governmental” and “proprietary” functions may be murky, the court determined that the Board was not entitled to sovereign immunity because it was not performing a governmental function based on the patients’ allegations.
“The circuit court erred by viewing the Board’s actions at an overly high level of generality or abstraction,” the court wrote. “To determine whether a municipal entity is performing a governmental or proprietary function, it is inappropriate to focus on the municipality’s overall purpose or mission; instead, ‘the analysis focuses on the activity giving rise to the injury to determine whether the activity was an exercise of a governmental or a proprietary function.’”
Although the Board’s “ultimate service” might be the operation of a hospital, that was not the activity out of which the patients’ alleged injuries arose, the court explained, and the relevant question was “whether the Board’s gathering of personal information on its patients, and disclosure of that information to third parties for commercial use, constituted a governmental or proprietary act.”
The 110-page third amended complaint contained detailed allegations that “if proven, would be sufficient to support the conclusion that the Board’s data collection and data disclosure were not ‘performed for the common good of all,’ but were instead undertaken ‘for profit or for the special benefit of the municipality,’” the court added. “The [complaint] alleges that the data disclosure does nothing to facilitate the hospital’s provision of healthcare services to its patients, but instead furthers the commercial objectives of the Board and of third parties, which may be wholly unrelated to the provision of medical services.”
Nor was the court persuaded that the patients’ claims should be dismissed under the “public duty” doctrine, as the Board was alleged to have violated duties owed to patients, who were allegedly injured as distinct individuals and not based on a duty that the Board owed broadly to the general public.
The patients also argued that the Board waived its sovereign immunity by purchasing applicable insurance and that the circuit court erred when it held that § 537.610.1 was inapplicable.
As a municipal agency, the Board was subject to both §§ 71.18.51 and 537.610.1 and the patients adequately plead facts supporting their claim that the Board had waived its sovereign immunity through the purchase of liability insurance, the court said.
The court did affirm dismissal of the patients’ claims for tampering with computer data and identity theft, however, as both were based on criminal statutes which do not apply to municipal entities like the Board.
While the statutes did allow for the Board to be considered a “person,” the court found that it could not commit criminal offenses like those defined in the statutes.
“Although [the patients] in this case seek to impose only civil liability on the Board, their data tampering and identity theft claims invoke ‘statutes defining criminal behavior’; moreover, those statutes specify that violations of the standards of conduct on which [the patients] rely ‘ha[ve] penal consequences,’” the court said.
Stephen M. Gorny of Gorny Dandurand in Kansas City, who represented the patients, did not respond to a request for comment on the decision.
Neither did Leawood attorney Timothy S. Frets of Rouse Frets White Goss Gentile Rhodes, who represented the Board and Meritas.
The case is Doe v. Meritas Health Corporation, Case No. WD87830.
Related Articles
Latest Opinion Digests
- Insurance-Interpleader-Competing Claims to Insurance Proceeds
- Employer-Employee-Discrimination-Hostile Work Environment
- Criminal Law-Rape-Oral and Written Judgments
- Torts-Defamation-Official Immunity
- Real Property-Adverse Possession-Oral Agreement for Sale
- Domestic Relations-Termination of Parental Rights-Parental Unfitness
- Criminal Law-Violation of Order of Protection-Scope of Cross-Examination
- Criminal Law-Resisting Arrest-Sufficiency of Evidence
- Criminal Law-Post-Conviction Relief-Ineffective Assistance of Counsel
- Domestic Relations-Dissolution-Property Division
- Criminal Law-Assault-Self-Defense
Top stories
- Supreme Court rejects bright-line rule on FAA worker exemption
- 2026 Unsung Legal Heroes: Publisher’s Letter, honorees
- Driver in accident settles negligence suit with other motorist
- Verdicts may fuel Missouri social media claims
- Judge Anthony Rex Gabbert retiring after 32 years
- Severe motorcycle crash nets seven-figure settlement
- Defense avoids $21M demand after client accused of stealing intellectual property
- COA reverses summary judgment on discrimination claims





