Lawsuit Filed Against Quest Diagnostics for Alleged California Pr

The headline may look like it got cut off by an overenthusiastic keyboard shortcut, but the legal fight behind it is very real. At the center of this story is Quest Diagnostics, one of the biggest names in diagnostic testing, and a lawsuit accusing the company of violating California privacy laws by allowing Meta’s tracking technology to collect data from visitors to its websites. In plain English: plaintiffs argued that a tiny piece of code did something with very big consequences.

The case became a closely watched dispute because it sits at the intersection of healthcare, digital advertising, patient trust, and modern privacy law. That is a crowded intersection, and nobody enjoys being hit there. On one side, the plaintiffs said Quest’s use of a pixel on its public website and patient-facing portal allowed Facebook to receive information about their browsing activity, including activity related to accessing test results. On the other side, Quest argued that the legal theories did not fit the facts, especially under California’s wiretap and medical privacy statutes.

By late 2025, the U.S. Court of Appeals for the Third Circuit sided with Quest and affirmed dismissal of the claims. But this is not a simple “case closed, everybody go home” moment. Even though Quest won the appeal, the litigation still matters. It shows how aggressively plaintiffs are challenging tracking technologies in healthcare settings, how narrowly courts may read some privacy statutes, and why diagnostic companies, hospitals, insurers, and digital health brands should treat website pixels as legal risk, not just marketing plumbing.

What the lawsuit was really about

The plaintiffs, Angela Cole and Beatrice Roche, alleged that Quest Diagnostics used Meta’s tracking pixel on both its general public website and its password-protected MyQuest portal. According to the allegations discussed in court, the pixel transmitted information such as page URLs, page titles, keywords, descriptions, and signals indicating that a patient had received and was accessing test results. The plaintiffs argued that this setup effectively allowed Facebook to learn about sensitive website activity connected to users who were logged in to Facebook on their devices.

That matters because Quest is not selling sneakers or novelty coffee mugs. It operates in healthcare. When a consumer visits a lab company’s patient portal, schedules an appointment, reviews a bill, or checks test results, the data trail can reveal something intimate about the person’s medical life. Even when the transmitted information does not spell out a diagnosis in bright neon letters, a plaintiff can argue that context alone makes the disclosure sensitive.

The complaint focused on two California statutes in particular: the California Invasion of Privacy Act, better known as CIPA, and the Confidentiality of Medical Information Act, or CMIA. Those laws became the twin engines of the lawsuit, and both are increasingly important in website-tracking cases involving health data.

Why California law was the star of the show

CIPA: California’s anti-eavesdropping law meets modern tracking tools

CIPA was written long before marketers started arguing over cookies, pixels, tags, scripts, and every other invisible gadget glued onto modern websites. The statute is often described as a wiretap or eavesdropping law, and plaintiffs in recent years have tried to apply it to online tracking technologies. Their theory is usually straightforward: if a company uses third-party code that captures or helps capture website communications without proper consent, that can look a lot like unlawful interception.

In the Quest case, the plaintiffs argued that Quest aided, agreed with, and conspired with Facebook to intercept their internet communications while they were using Quest’s websites. That is serious language, and it reflects a broader litigation trend in California privacy suits. Companies that once treated analytics code as a harmless dashboard accessory are now learning that plaintiffs often see it as a digital stethoscope pressed against private browsing behavior.

CMIA: medical privacy with a narrower lane

The CMIA claim was different. Here, the central question was whether the information allegedly disclosed amounted to “medical information” under California law. That sounds obvious at first. If the dispute involves a patient portal and test results, surely that must be medical information, right? Not necessarily. Courts often want something more specific than generalized health-related context. They look for substantive medical information, such as the kind of test involved, the nature of treatment, diagnosis-related content, or actual medical results.

That legal distinction ended up being a major problem for the plaintiffs. The courts concluded that alleging Facebook could infer a person was viewing test results was not the same as alleging Quest disclosed the actual type of test or the result itself. In privacy litigation, that difference can feel painfully technical. In court, technical differences often pay the rent.

How the case unfolded in court

The road to the Third Circuit was not a straight line. The lawsuit began in federal court in California, was transferred to New Jersey, and then took on the rhythm familiar to class action watchers: motion practice, partial wins, reconsideration, and appeal.

In a July 2024 ruling, the district court granted Quest’s motion to dismiss in part and denied it in part. The court allowed the CIPA claim to move forward at that stage, finding that the plaintiffs had plausibly alleged lack of consent and that the content of the communications, including descriptive URLs and related data, could potentially qualify as “content” under CIPA. But the court dismissed the CMIA claim without prejudice because the plaintiffs did not plausibly allege the disclosure of substantive medical information. Simply put, the court said the allegations did not identify disclosure of the actual test type or test results.

Then the story changed. In January 2025, Quest succeeded on reconsideration as to the CIPA theory. The district court revisited the question and concluded that Meta was not “eavesdropping” in the way CIPA requires because the users’ browsers directly transmitted the data to Facebook. That shift was crucial. It transformed the case from a possible cautionary tale for Quest into a significant defense-side win for companies facing similar pixel suits.

The plaintiffs appealed, but in November 2025 the Third Circuit affirmed dismissal of both claims. The appellate court emphasized two core points. First, on CIPA, the plaintiffs directly transmitted the browsing data to Facebook, so there was no separate unlawful interception in transit that Quest could be accused of aiding and abetting. Second, on CMIA, the allegations still did not show disclosure of substantive medical information. Knowing someone accessed test results was not enough, according to the court, without allegations showing what specific medical information was revealed.

One more detail matters: the Third Circuit’s opinion was nonprecedential. That means it is important and influential, but it is not the kind of binding blockbuster that instantly rewrites the law everywhere. Still, companies and plaintiffs’ lawyers will absolutely read it, cite it, and fight over what it means in the next round of healthcare pixel cases.

What exactly did the courts say about the alleged data flow?

The technical mechanics mattered a lot here. The plaintiffs alleged that when users visited Quest’s general website, the Meta pixel transmitted the requested URL along with page titles, keywords, and descriptions. When users accessed MyQuest, the pixel allegedly transmitted a URL indicating, at minimum, that a patient had received and was accessing test results. In the plaintiffs’ view, that was enough to create a privacy violation.

The courts, however, drew a line between direct receipt and unlawful interception. The reasoning was that Facebook was getting the data directly from the users’ browsers through the code as configured, not secretly tapping into a separate private communication like a digital villain in a trench coat. Because the transmission to Facebook was direct, the appellate court held there was no actionable “eavesdropping” by a third party under the theory the plaintiffs advanced.

On the medical privacy side, the courts were equally precise. The allegations may have suggested that Facebook could infer a patient was in a health-related portal and was looking at results. But inference is not always enough. The courts wanted allegations that actual substantive medical information was disclosed, not merely metadata indicating a patient was accessing a healthcare service.

Why Quest won but healthcare companies still should not celebrate too hard

If you work in healthcare compliance, this case is not a permission slip to scatter pixels across patient-facing pages like confetti. Quest won, yes. But the decision turned on specific pleadings, specific statutes, and a specific theory of interception. It did not declare that all healthcare tracking is legally harmless. Far from it.

Federal guidance still treats online tracking in healthcare as a serious compliance issue. The U.S. Department of Health and Human Services has continued to warn regulated entities that user-authenticated webpages, such as patient portals, generally involve protected health information and must be handled accordingly. HHS has also made clear that a cookie banner is not the same thing as a HIPAA-compliant authorization. That means a company can win one privacy suit and still end up with a much larger compliance headache if its governance is sloppy.

California is also not exactly taking a nap on digital privacy enforcement. In 2025, the California Attorney General announced a major settlement with Healthline over alleged online tracking violations under the CCPA and related law. That action underscored a broader enforcement message: health-related website activity is sensitive, targeted advertising practices are under scrutiny, and “everybody uses trackers” is not a legal defense. That backdrop makes the Quest decision more interesting, not less. It shows that winning one case under CIPA and CMIA does not remove exposure under other privacy rules, consumer protection theories, or regulatory expectations.

The bigger California context around Quest Diagnostics

The privacy lawsuit also lands against a broader backdrop of Quest’s California legal history. In February 2024, California Attorney General Rob Bonta announced a nearly $5 million settlement with Quest over allegations involving unlawful disposal of hazardous waste, medical waste, and protected patient information at facilities across the state. That matter was not about website tracking, but it reinforced the point that patient information handling can create serious legal exposure in California even when the underlying conduct looks operational rather than digital.

Quest has also faced other privacy-related claims involving California law. A separate lawsuit discussed in health privacy reporting alleged that Quest and an affiliated revenue services arrangement improperly disclosed medical information to third-party debt collectors in violation of CMIA. Again, different facts, different theory, same general lesson: whenever healthcare companies move information outside their immediate clinical workflow, plaintiffs and regulators want to know exactly what moved, why it moved, and whether the law allowed it.

And the company’s California litigation history goes back even further. In 2011, California announced a $241 million settlement with Quest in a False Claims Act case involving allegations of illegal overcharges to Medi-Cal and kickbacks for referrals. That case had nothing to do with pixels or portal metadata, but it shows Quest has been no stranger to California scrutiny over the years. For a public company in healthcare, legal risk in California is less a surprise thunderstorm and more a weather pattern.

What patients, providers, and digital teams should learn from this case

For patients, the practical takeaway is simple: health-related browsing is not just “website activity.” It can expose deeply personal context, even when the data looks technical. A URL, a page title, a login path, or a portal event may sound boring to an engineer and intensely revealing to a plaintiff’s lawyer. Patients have become far more aware of that tension, and healthcare brands ignore that shift at their peril.

For healthcare providers and labs, the lesson is governance. Before deploying tracking tools, companies need to know what data is being transmitted, on which pages, to which vendors, for what purpose, under what contract, and with what user notice or authorization. If the marketing team says the code is “just analytics,” that should trigger a follow-up question, not a sigh of relief.

For digital teams, this case is a reminder that legal risk often hides inside ordinary workflows. A login page, a scheduling widget, a bill-pay path, or a result-view event can all carry more privacy weight than a generic homepage click. Healthcare sites should be mapped page by page, event by event, vendor by vendor. Boring? Absolutely. Important? Also absolutely.

And for plaintiffs’ lawyers, Quest is not the end of the road. It is a signal to plead more specifically, focus more sharply on what data was actually transmitted, and consider alternative claims beyond a pure eavesdropping theory. In other words, this ruling may narrow one route, but it does not shut down the whole highway.

Experiences related to the topic: what this kind of lawsuit feels like in the real world

Cases like this resonate because they mirror real experiences happening every day across the healthcare ecosystem. Start with the patient experience. A person logs into a portal to check whether a lab result is ready, confirm an appointment, or look at a bill. They are not thinking about ad tech, browser requests, or metadata architecture. They are thinking about their thyroid panel, their cholesterol numbers, or whether the test result they are about to open will ruin lunch. When they later hear that a tracker may have transmitted health-adjacent browsing data to a major platform, the reaction is rarely technical. It is emotional. People feel watched in a place where they expected confidentiality.

Then there is the compliance team experience. In many organizations, the privacy office discovers the tracking setup only after a lawsuit lands, a vendor questionnaire gets uncomfortable, or an internal audit goes spelunking through page tags. Suddenly, people from compliance, legal, marketing, cybersecurity, procurement, and IT are all in the same meeting using the same words to mean wildly different things. One person says “cookie,” another says “pixel,” another says “event stream,” and someone in the corner quietly realizes the patient portal has six third-party scripts and nobody can explain why. It is the corporate version of finding out your attic has raccoons and a skylight leak on the same afternoon.

The marketing team has its own version of the experience. Marketers often use pixels because they want attribution, campaign measurement, audience building, and conversion data. Those goals are normal and common. But healthcare is not a normal retail category, and a result-view page is not the same as a shopping cart confirmation. The hard lesson from litigation like this is that the most useful marketing signal can also be the most legally radioactive. A clean dashboard is lovely. A class action is less lovely.

Vendors feel the pressure too. Companies that provide analytics, ad targeting, tag management, consent tools, or customer data platforms now find themselves pulled into privacy reviews with healthcare clients that are far more detailed than they were a few years ago. Questions about data minimization, business associate status, downstream use restrictions, retention periods, and cross-context behavioral advertising are no longer niche. They are contract-negotiation staples. In some organizations, that has changed vendor relationships from “plug this in and let us know if the chart turns green” to “please provide your architecture diagram, subprocessor list, and a written explanation of every event fired on authenticated pages.”

Finally, there is the executive experience, which is often the fastest path from abstract legal theory to budget reality. A lawsuit over a pixel can force expensive forensic reviews, outside counsel bills, platform reconfiguration, new consent design, updated contracts, retraining, and public-relations work. Even when the company wins in court, it may still lose time, money, and trust. That is why the Quest lawsuit matters beyond its outcome. It captures a very modern problem: in healthcare, the smallest technical implementation can trigger the biggest institutional reckoning.

Conclusion

The lawsuit against Quest Diagnostics over alleged California privacy violations may have ended in a defense win, but the underlying issue is not going away. The Third Circuit concluded that the plaintiffs had not plausibly shown unlawful interception under CIPA or disclosure of substantive medical information under CMIA. That was a meaningful victory for Quest and a useful decision for companies defending similar claims.

Still, the broader message is unmistakable. Healthcare websites and patient portals are now frontline privacy territory. Regulators are watching, plaintiffs are getting more creative, and consumers are less willing to shrug at hidden tracking tools attached to sensitive health journeys. A pixel may be only one little square of code, but in healthcare, it can cast a very long shadow.