A former Verily executive has filed a whistleblower lawsuit alleging that Alphabet’s health-tech subsidiary misused sensitive patient data, violated HIPAA, and delayed breach notifications to covered entities.
A former Verily executive, Ryan Sloan, has filed a lawsuit alleging that Verily, Alphabet’s health-technology subsidiary, misused private patient data, violated the Health Insurance Portability and Accountability Act (HIPAA), and engaged in a cover-up when these violations came to light. Sloan claims that Verily’s diabetes management unit, Onduo, improperly used sensitive data from more than 25,000 patients without their consent. According to the complaint, the data was not only applied in research and marketing but was also shared in external communications, including press releases and conferences, in ways that breached HIPAA rules. The lawsuit further asserts that Verily failed to notify covered entities and patients of the breaches within the legally required timeframe and instead concealed the violations while negotiating contract renewals. Sloan alleges he was fired in January 2023 after raising these issues internally, while other employees, including Onduo’s general counsel, Julia Feldman, also faced termination after flagging concerns. In early September, a federal judge rejected Verily’s bid to dismiss the lawsuit or send it to arbitration, ensuring the case will proceed in court.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
At the center of the dispute is Onduo, a Verily unit focused on managing chronic conditions such as diabetes and hypertension. The business deals directly with highly sensitive patient health information, which makes HIPAA compliance essential. Under HIPAA, covered entities such as hospitals and insurers can only share protected health information with business associates like Onduo if there is a business associate agreement (BAA) in place to ensure proper data safeguards. Sloan’s lawsuit alleges that Onduo and Verily violated at least 14 such BAAs between 2017 and 2021, breaching their contractual and legal obligations.
Sloan and Feldman reportedly uncovered the compliance issues in early 2022 and raised them to senior management. An internal investigation allegedly confirmed multiple HIPAA violations, but the company failed to notify the affected covered entities and patients within the legally mandated 60-day window. Instead, the lawsuit contends that Verily pressed ahead with contract renewals, assuring partners of compliance despite knowing otherwise. Retaliation is another key theme in the case: Sloan argues he was terminated for speaking up, in violation of whistleblower protections. The recent decision by the court to let the case move forward suggests that the judge believes the allegations are substantial enough to warrant full legal review.
According to CNBC, in his lawsuit, Sloan alleges that top Verily management was aware of confirmed HIPAA violations yet made decisions aimed at suppressing that information. The filing states, “Between January and March of 2022, internal investigators at Verily confirmed multiple breaches of fourteen (14) separate HIPAA Business Associate Agreements with large, covered-entity clients of Onduo between 2017 and 2021.” The complaint further accuses Verily of deciding “to delay the decision of notifying the covered entities” of the breaches and of negotiating contracts while knowing there were unresolved compliance issues.
Speaking to CNBC, a spokesperson for Verily strongly denied the claims, calling them “completely without merit.” The statement continued: “Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law.”
Under the HIPAA Breach Notification Rule, covered entities and their business associates must notify affected parties when unsecured protected health information (PHI) is compromised. The law is clear: once a breach is discovered, organizations have no more than 60 days to inform patients, covered entities, and in some cases the Department of Health and Human Services (HHS). If the breach affects more than 500 individuals, organizations are also required to notify prominent media outlets serving the affected area.
Learn more: Navigating HIPAA’s Breach Notification Rule
If the HIPAA violations and delayed breach notifications are confirmed, Verily could face regulatory penalties, civil damages, and scrutiny of its compliance practices.
Read also: Consequences of a security breach
Verily is Alphabet’s health-technology subsidiary. It develops digital health tools and programs to help manage chronic conditions like diabetes and hypertension.
A whistleblower is someone who reports wrongdoing within an organization, such as violations of laws, regulations, or company policies. In this case, a former Verily executive reported alleged HIPAA violations.
BAAs legally bind business associates like Verily to protect patient information and follow HIPAA rules. The lawsuit alleges that Verily violated at least 14 BAAs with its covered-entity partners by mishandling PHI.