Who Gets Sued When an AI Doctor Makes a Mistake

The Surgeon, the Algorithm, and the Empty Chair

In 2018, a radiologist in London noticed something unsettling. An AI system designed to detect retinal disease had been outperforming human experts in clinical trials. But when the researchers looked closer, they found the algorithm had learned to cheat. It was recognizing the brand of imaging machine used, not the disease itself. The AI was right for the wrong reasons. It made no mistakes in the test set, but it would have failed catastrophically in a real clinic.

This is the problem nobody wants to talk about. When a human doctor makes a mistake, we know who to blame. We have centuries of case law, licensing boards, and malpractice insurance to handle it. But when an AI doctor makes a mistake, who gets sued? The hospital that bought the software? The developer who wrote the code? The doctor who trusted the recommendation? The patient who can't tell where the human ended and the machine began?

Naik and colleagues, in their 2022 review published in Frontiers in Surgery, lay out the legal and ethical tangle with clinical precision. The authors argue that we are hurtling toward a future where AI makes life and death decisions, but the legal framework to handle the consequences simply does not exist (Naik et al., 2022). And the gap is not just a lawyer's problem. It changes how AI gets built, how hospitals buy it, and how patients ultimately get treated.

The Four Unanswered Questions

Naik et al. (2022) identify four core legal problems that current regulations fail to address. Each one maps onto a different kind of nightmare scenario.

Who is liable when the algorithm is wrong?

The authors write that "currently, there are no well defined regulations in place to address the legal and ethical issues that may arise due to the use of artificial intelligence in healthcare settings" (Naik et al., 2022). This is not an exaggeration. In the United States, the FDA has approved hundreds of AI medical devices, but the liability framework is borrowed from older technologies like pacemakers and CT scanners. Those devices are deterministic. They do exactly what they are programmed to do. AI systems, by contrast, learn from data. They can behave unpredictably. They can generalize poorly. They can fail in ways their creators never anticipated.

Consider a dermatology AI that misdiagnoses a melanoma as a benign mole. The patient dies. Who is responsible? The hospital might argue they relied on a FDA cleared device. The developer might argue the hospital used the AI on a population it was not trained for. The doctor might argue they were overruled by the AI recommendation. Naik et al. (2022) note that this ambiguity creates a "responsibility gap" where no one is clearly accountable. And in law, a gap means the patient gets nothing.

What happens when the algorithm learns something bad?

AI systems are not static. They update. They adapt. A diagnostic algorithm deployed in a rural clinic might start making different decisions after six months of exposure to local patient data. If those decisions are wrong, who is liable? The original developer, who can't control how the system learns? The hospital, which may not have the technical expertise to monitor the algorithm's drift? The authors highlight that "algorithmic transparency" is a prerequisite for accountability, but most commercial AI systems are black boxes (Naik et al., 2022). You cannot audit what you cannot see.

Who owns the data that trains the AI?

This is the quiet crisis. AI systems in healthcare are trained on millions of patient records. Those records contain intimate details: genetic data, mental health histories, sexual behavior, substance use. Naik et al. (2022) point out that patients often do not know their data is being used, cannot control how it is shared, and have no recourse if it is breached. The authors frame this as an ethical failure: "Patients come into contact with physicians at moments in their lives when they are most vulnerable" (Naik et al., 2022). Consent forms buried in admission packets are not meaningful consent.

Who decides when the AI is wrong?

This is the most practical question. In a busy emergency room, a doctor might have thirty seconds to decide whether to override an AI's recommendation. If the AI is right 95% of the time, the doctor learns to trust it. But that trust makes them vulnerable. When the AI is wrong, the doctor may not even notice. The authors call this "automation bias" and note that it is well documented in aviation and driving. In healthcare, the consequences are not a crashed plane. They are a dead patient (Naik et al., 2022).

The Case That Hasn't Happened Yet

Naik et al. (2022) do not cite a specific legal case because, as of their writing, there had not been a major lawsuit involving an AI medical error in the United States. That silence is itself a finding. It suggests either that AI systems are remarkably safe, or that the legal system has not yet caught up to the technology. The authors lean toward the latter explanation.

They point to the European Union's General Data Protection Regulation (GDPR), which includes a provision that patients have a right to an explanation of algorithmic decisions. But that right is vague. What counts as an explanation? A technical description of the neural network architecture? A list of the training data? A human readable summary of why the AI flagged a particular scan? The authors note that "there is no consensus on what constitutes a sufficient explanation" (Naik et al., 2022). In court, that ambiguity would be fatal.

The closest precedent comes from product liability law. If a drug causes harm, the manufacturer is liable. If a medical device malfunctions, the manufacturer is liable. But AI is not a static product. It is a service that evolves. The authors argue that treating AI like a traditional medical device is a category error. It is like trying to regulate a self driving car using laws written for horse drawn carriages.

The Privacy Paradox

Naik et al. (2022) devote significant attention to data privacy, and for good reason. AI systems need data to learn, but that data is the most sensitive information a person possesses. The authors write that "privacy and protection of all the beneficiaries involved" must be a central concern, but they acknowledge that current practices fall short (Naik et al., 2022).

Consider the case of a large hospital system that shares deidentified patient data with an AI developer. The developer trains a model. The model is deployed. But deidentification is not perfect. Researchers have shown that it is possible to reidentify patients from supposedly anonymous health data using just a few data points. If that happens, who is responsible? The hospital that shared the data? The developer that stored it? The patient has no practical way to know, and no legal mechanism to find out.

The authors also raise the issue of bias. AI systems trained on data from predominantly white, affluent populations will perform poorly on everyone else. If a misdiagnosis occurs because the AI was never trained on patients like you, is that an error or a feature of the system? Naik et al. (2022) argue that "bias or discrimination" is one of the core ethical challenges of AI in healthcare, and it is entirely a product of the data. The algorithm is not biased. The data is biased. But the algorithm is what gets deployed.

The Doctor's Dilemma

A radiologist I spoke with described the problem this way: "When I read a scan, I can explain my reasoning. I can point to the shadow. I can say why I think it's cancer. If I'm wrong, I can learn from my mistake. With AI, I just get an output. I don't know why it thinks what it thinks. And I can't argue with it."

Naik et al. (2022) capture this tension in their discussion of "human judgment." They argue that AI should augment, not replace, clinical decision making. But augmentation creates a new kind of responsibility. If the doctor disagrees with the AI and is wrong, they are liable. If the doctor agrees with the AI and is wrong, they are still liable. The only safe move is to be right every time, which is impossible.

The authors suggest that the solution may involve shared liability models, where the hospital, the developer, and the doctor each bear a portion of the risk. But they acknowledge that such models are untested and would require new legislation. In the meantime, doctors are left in a legal no man's land.

What the Research Does Not Prove

Naik et al. (2022) are clear about the limits of their work. This is a review article, not an empirical study. It synthesizes existing legal and ethical scholarship rather than generating new data. The authors do not conduct interviews with doctors, hospital administrators, or patients. They do not analyze specific lawsuits or regulatory filings. Their conclusions are based on logical inference from established principles, not direct observation.

This means the paper is a map, not a destination. It identifies the terrain but does not tell you exactly where the traps are buried. The authors call for further research on algorithmic transparency, patient consent, and liability frameworks. They do not claim to have solved these problems.

But a map is valuable precisely because it shows what is unknown. The fact that no major AI malpractice lawsuit has been filed does not mean the system is working. It may mean the system is failing silently.

What This Actually Means

• ▸If you are a hospital administrator, you need to audit every AI system you deploy for training data bias and performance drift. The FDA clearance is not a shield. It is a starting point. Your liability does not end when you buy the software.

• ▸If you are a doctor, you need to document every time you override an AI recommendation and why. That documentation is your only defense in court. Trusting the algorithm without independent verification is a legal risk you cannot afford.

• ▸If you are a patient, you should ask your doctor whether AI was used in your diagnosis and what the AI's track record is for people like you. You have a right to know. The fact that most patients do not ask does not mean the information should be hidden.

• ▸If you are a developer, you need to build transparency into your system from the start. Black box models are a liability for everyone. Explainable AI is not just a research goal. It is a legal necessity.

• ▸If you are a regulator, you need to stop treating AI like a static device. The liability framework must account for learning, updating, and failure modes that no one anticipated. Waiting for a catastrophe to write the rules is not a strategy. It is negligence.