A specific lawsuit claiming “IBM Watson Health Sold Patient Imaging Data Without Hospital System Consent” could not be verified through available sources, despite extensive searching. However, IBM’s handling of patient imaging data through Watson Health does have a documented history of data consolidation and asset sales that raise legitimate concerns about hospital consent and patient privacy. Between 2015 and 2022, IBM acquired, consolidated, and eventually divested imaging databases and health data assets that originally came from hospital systems, including the 2015 acquisition of Merge Healthcare—which gave IBM access to what the company described as a “huge imaging database”—and the 2022 sale of Watson Health assets to investment firm Francisco Partners.
If you believe your hospital’s patient imaging data was involved in undisclosed data sharing or sales related to IBM Watson Health, The broader context of IBM’s Watson Health operations reveals patterns of data acquisition and transfer that hospital systems need to understand. While a specific lawsuit with the exact title provided could not be confirmed, the documented facts show IBM engaged in significant data consolidation activities that raise questions about transparency and consent.
Table of Contents
- What Happened to IBM Watson Health’s Patient Imaging Data?
- IBM’s History of Data Handling and the Watson for Oncology Controversy
- What Hospital Systems’ Consent Obligations Actually Are
- How to Determine If Your Hospital’s Data Was Affected
- Data Privacy Concerns and the Limits of Regulatory Oversight
- Steps Patients and Healthcare Workers Can Take
- The Broader Implications for Healthcare Data in the AI Era
What Happened to IBM Watson Health’s Patient Imaging Data?
IBM’s involvement with patient imaging databases began in earnest with the August 2015 acquisition of Merge Healthcare for $1 billion. This acquisition was significant because Merge Healthcare operated a major medical imaging platform, and IBM explicitly stated the deal would give Watson Health access to a “huge imaging database” to support its artificial intelligence and diagnostic tool development. The imaging data that came with Merge Healthcare originated from hospital systems and healthcare providers who had stored their patient scans on the Merge platform—many likely without fully understanding how IBM might use that data beyond providing imaging storage and management services.
In January 2022, IBM took the next major step by selling Watson Health’s assets—which included “extensive and diverse data sets” and “imaging software offerings”—to Francisco Partners, an investment firm specializing in technology acquisitions. This transaction meant that the imaging databases IBM had built up, including data from the original Merge Healthcare acquisition, were transferred to a new owner outside of IBM. Hospital systems and patients often had no direct notification of this transition and typically had no contractual involvement in the decision to sell these assets to a third party.
IBM’s History of Data Handling and the Watson for Oncology Controversy
Beyond the imaging data consolidation, IBM’s broader Watson Health division faced significant credibility issues regarding how it handled medical data. IBM’s Watson for Oncology (a cancer diagnostic tool) became a cautionary tale about data practices in healthcare AI. The tool was trained using hypothetical data from a small group of doctors rather than real, diverse patient data from actual hospital systems. When hospital partners—including major medical centers—discovered this limitation, several cancelled their collaborations with Watson.
This revealed a troubling pattern: IBM was making claims about data-driven AI tools without necessarily having the patient consent or diverse data necessary to back those claims. The distinction is important for patients and hospitals concerned about their data. Just because a hospital system had imaging data stored on a platform like Merge Healthcare didn’t mean that data was being used only for the stated purpose of providing imaging services. The data could be—and apparently was—consolidated into larger datasets, used for AI training, and eventually sold as part of business asset transfers. Hospital systems that thought they were partnering with IBM for imaging management services found themselves in a different relationship than they had agreed to.
What Hospital Systems’ Consent Obligations Actually Are
Healthcare data handling is regulated by multiple frameworks, with HIPAA (the Health Insurance Portability and Accountability Act) being the primary federal law in the United States. Under HIPAA, hospital systems are the covered entities responsible for patient data. When a hospital uses a vendor like Merge Healthcare (or any platform that collects patient imaging), that vendor becomes a “Business Associate.” The critical issue is whether the Business Associate Agreement (BAA) between the hospital and the vendor explicitly allows the vendor to use the imaging data for secondary purposes like AI training or to sell the data as part of asset transfers.
Many hospital systems that stored data on Merge Healthcare likely had BAAs that were standard for the era—focused on providing imaging services, storage, and backup. These agreements often contained language allowing the vendor to use data for “service improvement” or similar broad terms, but rarely did they explicitly contemplate the vendor being acquired and that imaging data being sold as part of the acquisition deal. This contractual gap means that even without a specific lawsuit, many hospital systems may have legitimate grievances about how their patient data was handled after the Merge Healthcare acquisition.
How to Determine If Your Hospital’s Data Was Affected
If you work for a hospital system or manage healthcare IT operations, the first step is to check your vendor management records. Specifically, review whether your hospital system had a contract with Merge Healthcare, used Merge’s imaging platform (branded as Merge eUnity, Merge Centricity, or other product names), or stored patient imaging data on any Merge-owned infrastructure prior to August 2015. If the answer is yes, your hospital’s imaging data is almost certainly part of what IBM acquired when it bought Merge Healthcare. The next step is to review the Business Associate Agreement you had with Merge Healthcare at the time.
Look for clauses about data use, secondary purposes, and what happens if Merge is acquired or sells assets. If your agreement doesn’t explicitly authorize the sale of your hospital’s imaging data as part of a business asset transfer, or if it doesn’t allow use of your data for AI training and research, you may have a contractual violation. Additionally, check internal communications, emails, or notifications from the time of the IBM-Merge acquisition (August 2015) and the IBM-Francisco Partners sale (January 2022). Many hospitals that were unaware their data was being sold only discovered this through data privacy attorneys investigating after-the-fact.
Data Privacy Concerns and the Limits of Regulatory Oversight
Even where no specific lawsuit has been filed, the transfer of hospital imaging data through multiple corporate ownership changes raises substantial privacy concerns that current regulations struggle to address. HIPAA technically allows Business Associates to use de-identified data for research and secondary purposes if the data is properly de-identified, but “de-identified” data—where patient names, medical record numbers, and obvious identifiers are removed—can still sometimes be re-identified, especially in imaging where physical characteristics of patients may be visible in scans.
A critical limitation of HIPAA is that it does not require explicit patient consent for all secondary uses of health data. Hospitals are required to notify patients about their privacy practices, but many patients don’t read those notices, and the notices often contain broad language that technically covers secondary uses like AI training or data asset sales. This means that even if IBM and Francisco Partners followed HIPAA strictly, patients may never have been explicitly asked whether they wanted their imaging data used for artificial intelligence development or sold as part of corporate transactions.
Steps Patients and Healthcare Workers Can Take
If you believe you are a patient whose imaging data was handled improperly through IBM Watson Health, or if you work in a hospital system concerned about your institution’s data, several actions are available. First, contact your state’s Attorney General’s office—specifically the consumer protection or healthcare division. Many state AGs have investigated IBM Watson Health and similar vendors regarding data practices. Second, consult with a healthcare privacy attorney who has experience with HIPAA violations and data breach litigation.
Such attorneys can review your situation and advise whether you have grounds for a claim. Third, request a complete accounting of all imaging data your hospital provided to Merge Healthcare (or to any Merge-owned platforms) using your hospital’s data access and accounting rights under HIPAA. Additionally, hospitals and healthcare systems should conduct a data governance audit of their own vendor relationships. Review all Business Associate Agreements to ensure they explicitly restrict secondary use of patient data and require your hospital’s written approval before any data sales, acquisitions, or transfers occur. Update these agreements prospectively with any vendors currently holding hospital patient data.
The Broader Implications for Healthcare Data in the AI Era
IBM Watson Health’s experience illustrates a larger problem in healthcare: hospitals and patients often don’t fully understand or consent to how their data is used once it’s stored on third-party platforms. As artificial intelligence becomes increasingly important in healthcare, the incentive to consolidate and monetize patient data grows. The fact that IBM could acquire a company with massive imaging databases and later sell those databases to a private equity firm—with hospital systems and patients having little say in either transaction—suggests that current regulatory and contractual frameworks are inadequate.
Looking forward, hospitals should expect more scrutiny of how vendors handle patient data and should demand clearer, more restrictive data use agreements. Patients and their advocates should press for stricter state and federal regulations requiring explicit patient consent before health data is used for AI training or sold as part of corporate transactions. Until those protections exist, the IBM Watson Health saga remains a template for how healthcare data can be accumulated, transferred, and eventually sold without meaningful consent from the institutions or patients who generated that data.
You Might Also Like
- Lawsuit Claims Thomson Reuters Sold Journalists’ Source Emails to Government Without Warrant
- Lawsuit Claims Palantir Government Data Platform Was Used to Target Immigrants Without Warrants
- Lawsuit Claims Whoop Fitness Tracker Shared Heart Rate Variability Data With Life Insurers