Ambient listening is no longer a future-state AI use case in healthcare. It’s already inside exam rooms, capturing clinician-patient conversations, generating clinical notes, and flowing documentation into the EHR. Recent lawsuits involving Sharp and Sutter show why health systems need clear governance over how these tools collect, process, store, and share sensitive patient data.
Jose Saucedo went to his doctor for a routine physical. He answered the usual questions: how’s your sleep, any new medications, how’s your stress. A few weeks later, he logged into his patient portal to review his visit notes.
That’s when he found it.
A line in his chart stated that he had been informed about an ambient AI scribe recording his appointment and had consented to it.
But he had not consented to it. No one had mentioned a microphone. No one had asked. Yet there it was: a formal notation, embedded in his permanent medical record, attesting to a conversation that had never taken place.
On November 26, 2025, Saucedo filed a proposed class action lawsuit against Sharp HealthCare in San Diego Superior Court. Attorneys estimated that more than 100,000 Sharp patients may have been recorded without meaningful consent since the system rolled out its ambient listening tool in April 2025.
Less than five months later, on April 8, 2026, nearly identical federal lawsuits landed against Sutter Health and MemorialCare. Same tool. Same allegation. Different health system, same courtroom trajectory.
This didn’t happen through a cyberattack, or a data breach, or through any failure your security team could have detected. And it’s a story every CISO in healthcare needs to read carefully, because the tool at the center of these cases is currently deployed at more than 270 health systems across the country.
Ambient listening is the use of AI-powered audio capture and clinical documentation tools to record clinician-patient conversations, transcribe them in real-time, and generate structured notes for the electronic health record.
In practice, ambient listening tools allow physicians to document an encounter without typing during the visit. A clinician activates the tool on a microphone-enabled device in the exam room, the platform captures the conversation, converts the audio to text, and uses AI to draft a clinical note that can flow into the EHR.
Theoretically, the doctor gets documentation without typing, while the patient gets a more present, less distracted physician.
Abridge — the platform named in both the Sharp and Sutter cases — is one of the most widely adopted examples of ambient listening technology in healthcare.
As of May 2026, more than 270 health systems use the platform, and Abridge says it will support more than 100 million patient conversations by the end of the year. Its customer list includes Mayo Clinic, Johns Hopkins, Duke Health, Kaiser Permanente, and UPMC, a roster that reads like a who’s who of American healthcare.
But for healthcare security teams, ambient listening creates a new kind of governance problem. These tools may pass traditional security checks because the vendor is approved, the data flow is authorized, the connection is encrypted, and the activity appears compliant. DLP, network security, and endpoint protection may all see green lights.
And that, precisely, is the problem.
There is a useful metaphor for understanding what enterprise security tools are designed to do and where their jurisdiction ends.
Imagine the most rigorous nightclub in the city. A bouncer who has memorized every face on the banned list, checks every ID, enforces the dress code without exception. Nobody with bad intentions gets past that door. The system is excellent.
Now ask yourself: what happens inside?
The bouncer works the entrance. Once someone is in -credentialed, authorized, moving through the space in exactly the way they’re supposed to - the bouncer has no visibility into their behavior. He doesn’t know what’s being said at the bar. He can’t see what’s happening in the back room. He has no mechanism to enforce rules about conversations.
This is precisely the architecture of a mature healthcare security stack. DLP, network security tools, endpoint protection — these are extraordinarily well-engineered systems for governing data movement and blocking unauthorized access.
They were built to answer one category of question: Is this data going somewhere it shouldn’t? Is this actor someone who shouldn’t be here?
They were not built to answer a different, increasingly urgent category of question: Is this approved tool, used by this authorized clinician, behaving within the governance boundaries we intended when we approved it?
Your security stack was built to keep bad things out. It was never built to govern what approved things do once they’re in.
The complaints filed against Sharp and Sutter are detailed legal documents, and they are worth reading not just as litigation but as a forensic account of where AI governance breaks down.
Three structural gaps emerge clearly from the allegations.
The violation alleged in the Sharp case is not that the data was misused after the fact. It is, as the Sutter complaint states explicitly, that it occurred “at the moment of interception,” or when the live conversation began being captured. California law requires all-party consent before a confidential conversation can be recorded. That consent requirement had to be met, verified, and enforced before the microphone turned on.
Your DLP has no mechanism to ask that question. Neither does your SIEM, your firewall, or your endpoint protection. Those tools exist downstream of the AI workflow, watching what data moves and where it goes.
What is needed is a control that sits upstream — inside the workflow itself, before activation — enforcing the policy condition that must be true for the tool to be used at all.
Both Sharp and Sutter had Business Associate Agreements with Abridge. This is not in dispute.
Under HIPAA, the data transfer was authorized. Under HIPAA, network inspection tools had no reason to flag the traffic.
The issue was not HIPAA. It was a layer of governance that exists above the BAA: the clinical and operational policies the health system intended when it approved the tool, enforced on an ongoing basis, in real-time, at the behavioral level.
A BAA is a contract. It governs data handling between two organizations. It says nothing about whether consent was obtained before a specific patient encounter began. It says nothing about whether the AI’s behavior during that encounter complied with the organization’s policies.
Signing the contract is the beginning of governance, not the end of it.
This is the detail in the Sharp complaint that deserves to be read twice.
According to the lawsuit, the AI clinical notes generated by the ambient AI contained language stating that patients had been “advised” of the recording and had “consented”— language that appears to have been automatically inserted into the medical record, attesting to consent that was never obtained.
The plaintiff only discovered the recording because he read that language and recognized it as false.
Consider what this means from a governance perspective. The tool being governed was populating the compliance fields used to verify its own compliance. The audit trail was generated by the system under audit. And because those fields looked like normal, correctly formatted EHR entries, no external monitoring system flagged them.
An immutable, independently generated audit trail — one the ambient listening tool itself cannot influence — is not an optional governance feature.The Sharp case illustrates what happens when it is absent.
At this point, a thoughtful CISO might raise a reasonable objection: We have visibility into this tool. We approved it. We know it’s running.
This is true. And it is not sufficient.
Sharp and Sutter did not have a visibility problem in the conventional sense. The tool was known. The vendor relationship was documented. The traffic was observable.
What was missing was not the ability to see that ambient listening was running; it was the ability to enforce governance at the behavior layer while it ran.
This distinction matters, and it is the point where most conversations about AI security stop short. The industry has invested heavily in AI visibility tools: dashboards that show which AI applications are in use, traffic analysis that identifies AI-bound data flows, inventory systems that catalog approved and unapproved tools. These capabilities are valuable.
But visibility without control is, at bottom, a better log. It tells you what happened. It does not change what happens.
What the Sharp and Sutter cases required — and what was absent — is enforcement: the ability to define what an approved AI tool is permitted to do and to ensure, in real time, before each clinical encounter, that those conditions are met.
Consent verified before the microphone activates. Policy enforced during the session, not audited afterward. Documentation generated independently, not by the tool being governed.
This is the AI governance layer. It does not replace DLP or endpoint protection or network security. It operates above them, inside the AI workflow, at the point where AI behavior either complies with organizational policy or does not.
Eleven U.S. states now require all-party consent before a confidential conversation can be recorded. That number is growing. OCR is watching. Plaintiff’s attorneys, having seen the Sharp filing, are now watching 270 health systems.
The question is not whether ambient listening carries governance risk. The Sharp and Sutter cases have settled that. The question is whether your organization is governing it. Not just observing, not just contracting around it, but actively enforcing the conditions under which it is permitted to operate.
Based on what the Sharp and Sutter cases reveal, a complete AI governance posture for ambient listening and for clinical AI tools broadly requires four capabilities that enterprise security stacks were not built to provide.
The governance layer described above is not a feature that can be added to DLP. It cannot be configured into a SIEM. It is a distinct control class, and it’s exactly what Vitea provides.
Vitea gives healthcare security teams the ability to govern AI at the behavior layer:
The distinction between what Vitea does and what DLP does is not a matter of degree.
DLP governs data movement. Vitea governs AI behavior.
Sharp and Sutter had data protection. What they did not have was the control that operates inside the AI workflow, before the session begins, at the moment that compliance either happens or doesn’t.
The bouncer at the door isn’t enough anymore. The risk is already inside.
Ambient AI is already moving faster than most governance programs were designed to handle. Get in touch with the Vitea team to see how your organization can strengthen AI oversight, uncover shadow AI, and enforce the policies that matter before risk enters the workflow.
.png)
.png)
.png)
