“PPL WORLD WIDE,” the Facebook post shouted, using text-speak for the word “people.” “FRANCES … IS HPV POSITIVE!”
The public missive from January 2014 gave Frances’ full name, along with the revelation that she had human papillomavirus, a sexually transmitted disease that can cause genital warts and cancer. It also included her date of birth and ended with a plea to friends: “PLZ HELP EXPOSE THIS HOE!”
Within hours, a friend told Frances that a former high school pal who lived near her in northwest Indiana had shared a secret that only her family and a former boyfriend knew, she later said.
“My heart fell to my stomach,” said Frances, a dental assistant in her late 20s who asked that her last name not be used. “I started crying immediately.”
The Facebook poster was a patient care technician at the local hospital where Frances was treated, but the two were no longer friends.
Frances complained to a nursing supervisor at the hospital, which sent her a letter of apology in March 2014.
Under the federal law called the Health Insurance Portability and Accountability Act, or HIPAA, it’s illegal for health care providers to share patients’ treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.
The bulk of the government’s enforcement — and the public’s attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed but little exploited.
As Frances discovered, it’s often little-noticed, smaller-scale violations of medical privacy — the ones that affect only one or two people — that inflict the most harm.
Driven by personal animus, jealousy or a desire for retribution, small breaches involving sensitive health details are spurring disputes and legal battles across the country:
In Tampa, Fla., a nurse snooped in the medical records of her nephew’s partner, and learned that she had delivered a baby and had put the child up for adoption. She gave a printout to another family member, and the secret was announced at a family funeral in 2013, the Tampa Bay Times reported. The nephew’s partner complained to the hospital; the nurse admitted what she had done, was fired and relinquished her Florida nursing license.
And in New Jersey, a woman sued a local hospital this fall, alleging that one of its employees shared details about her 11-year-old son’s attempted suicide with people at his school. The boy was subsequently “bullied by his peers, called names and made fun of,” her lawsuit says.
Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, the office typically settles for pledges to fix any problems and issues reminders of what the privacy law requires. It doesn’t even tell the public which health providers have reported small breaches — or how many.
Asked about some of the privacy violations highlighted in this report, OCR Director Jocelyn Samuels called them “heartbreaking stories” and “the kinds of harm that HIPAA is intended to address.”
She insisted her agency isn’t afraid to pursue formal sanctions when they are warranted, but said its primary role is helping health providers to follow the law. “Our preference is always to promote voluntary compliance,” Samuels said.
For patients, Samuels’ agency is usually the only place they can seek vindication. HIPAA does not give people the right to sue for damages if their privacy is violated. Patients who seek legal redress must find another cause of action, which is easier in some states than in others.
After being attacked on Facebook, Frances contacted Indianapolis lawyer Neal Eggeson. He had won jury verdicts for people whose medical information was improperly disclosed. Eggeson contacted the hospital and, without filing suit, secured a confidential settlement for Frances. (He asked that the facility not be named in this story.) Frances’ former friend no longer works there, she said.
Frances said she still hasn’t fully recovered. She sees a therapist and has a hard time trusting others.
“It’s hard to even still deal with it,” she said. “I’ll spend that extra gas money to go into another city to do grocery shopping or stuff like that, just so I don’t have to see anybody from around the neighborhood.”
Ties Of Friendship Lead Lawyer To Privacy Practice
Eggeson, a litigator, was defending insurance companies in car accident cases when a “friend of a friend of a friend” referred a young man to him. The man, who is HIV positive, had been sued over a $326 debt by the medical group that had been treating him. The group’s court filing gave the man’s name, home address, Social Security number and date of birth — and included a billing statement containing the phrase “Last Diagnosis: HIV.”
“His first concern was getting the court record sealed, more than anything else,” Eggeson said. “I don’t think he had any designs or visions beyond that.”
A jury awarded the man $1.25 million.
After that victory, Eggeson represented Abigail Hinchy, who alleged that a Walgreens pharmacist had snooped in her prescription records and shared the information with the father of Hinchy’s child (the man was dating and later married the pharmacist). Among the data shared: Hinchy had stopped taking birth control pills shortly before she became pregnant. A jury ordered Walgreens and the pharmacist to pay Hinchy $1.44 million.
A copy of Walgreens’ check is framed on the wall of Eggeson’s home office, not far from his life-sized Batman costume and Star Wars lightsabers.
Among Eggeson’s current clients is a couple who claim that when their son was in an ATV accident this August, a hospital worker posted a comment on Facebook before the hospital had told them the teen had died. Panicked relatives who saw the post began calling his parents for updates, adding stress to an already wrenching time.
“It wouldn’t have changed the outcome,” said John Stuck, the boy’s father, “but just the feeling of, ‘What in the heck? What do they know that we don’t?’ — that’s what freaked me out I think the most.”
When Eggeson files lawsuits, he argues that privacy breaches amount to medical malpractice.
While Indiana courts have been receptive to such arguments, courts in Ohio, Minnesota and other states have ruled that health providers are not liable for the actions of workers who snoop in medical records outside the scope of their jobs.
This summer, a Los Angeles jury ruled against a patient who sued UCLA and the Regents of the University of California after a romantic rival accessed and shared her medical records. The rival was a temporary worker in the office of a private practice physician affiliated with UCLA’s Santa Monica hospital. The doctor acknowledged improperly sharing his password and settled his part of the lawsuit.
Eggeson said it’s distressing that more states aren’t like Indiana.
“Privacy protections should be the same regardless of what state you’re in,” he said. “There is something wrong with an employer providing the means, providing the access, and providing the tools by which an employee can commit this crime and then being able to hold up their hands and say, ‘It’s not our fault.’ ”
Federal Focus On Large Breaches Draws Criticism
The vast majority of the federal Office for Civil Rights’ enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.
Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR’s website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.
Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.
Organizations have to report them to OCR only once a year. Even then, the agency doesn’t post them online. HHS has rejected requests under the Freedom of Information Act for information about them.
Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.
In September, the HHS inspector general issued a pair of reports that criticized the Office for Civil Rights, including its handling of small breaches. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.
“OCR does not record that information and therefore it’s not available for staff to be able to look over time” for repeat offenders, said Blaine Collins, regional inspector general for evaluation and inspections in San Francisco. “Boy, that’s critical for monitoring and oversight.”
Samuels said that her agency is implementing the inspector general’s recommendations to improve oversight. “We are constantly looking for ways to better serve the public and improve our operations,” she said.
Pain Doctor Gives Private Investigator Patient’s Records
Peter Brabeck, a 73-year-old retired petrophysicist who had worked for the oil giant BP, turned to OCR in September 2011 when he found himself in the midst of a nightmare.
It began a year earlier when Brabeck’s brother complained to the Medical Board of California that Dr. Steven Mangar, a pain doctor in Salinas, Calif., had overprescribed controlled substances to Peter. The medical board accused Mangar of prescribing drugs without examining him and sought to take disciplinary action against Mangar’s license.
Mangar reacted by hiring a private investigator to dig up dirt on Brabeck — and gave the investigator all of Brabeck’s medical records. When Mangar refused to pay the investigator, he approached Brabeck’s brother and showed him the records. The investigator then offered to sell the records to Peter Brabeck, who within days complained to the Office for Civil Rights.
“Here we have not only a gross violation of [HIPAA] laws protecting the confidentiality of every patient’s medical history, but in my mind far worse,” Brabeck wrote in his complaint. “Here is a deliberate attempt, born of vengeance, with malice aforethought to inflict great harm on his own patient.”
Two years later, the Office for Civil Rights wrote back, saying it was “pleased to inform” Brabeck that his complaint has been resolved. It said it had provided Mangar’s clinic, the Pacific Pain Care Institute, with guidance on how to comply with privacy rules. It said Mangar had acknowledged that he “impermissibly disclosed” Brabeck’s personal health information to the private investigator.
OCR also said that Mangar had agreed to provide Brabeck with free credit monitoring.
Brabeck, who lives near Carmel, Calif., said he never actually received the credit monitoring. More importantly, he was left with a sense that the agency didn’t take his case seriously.
“I made very clear in my letter that it was an act of vengeance and retaliation,” he said. “That’s why I was so surprised at how lightly they dismissed the whole thing.”
Mangar did not return calls for comment. California’s medical board placed his license on probation in 2012 and is now seeking to revoke it, saying he violated his probation and provided negligent care to other patients. Earlier this year, federal and state investigators served search warrants at Mangar’s office and home. Monterey County Deputy District Attorney Amy Patterson said Brabeck’s concerns are part of a much broader investigation that she could not discuss because it is ongoing.
OCR director Samuels said Brabeck’s case predated her arrival at the agency. But she said it was consistent with “our general principles” in terms of the nature of the injury, the number of individuals affected and a provider’s lack of prior HIPAA violations. She also said the doctor agreed to apologize, which “can be very powerful in terms of remedying the damage that has been done.”
Brabeck said he didn’t get an apology: “No. Absolutely not.”
NPR correspondent Alison Kodjak contributed to this report.
ProPublica is a nonprofit newsroom based in New York. This story is part of a yearlong examination into the security of medical information. Has your medical privacy been compromised? Help ProPublica investigate by filling out a short questionnaire. You can also read other stories in the Policing Patient Privacy series.