by Charles Ornstein in ProPublica
This story was co-produced with NPR.
"PPL WORLD WIDE," the Facebook post shouted, using text-speak for the word "people." "FRANCES … IS HPV POSITIVE!"
The public missive from January 2014 gave Frances' full name, along with the revelation that she had human papillomavirus, a sexually transmitted disease that can cause genital warts and cancer. It also included her date of birth and ended with a plea to friends: "PLZ HELP EXPOSE THIS HOE!"
This year, ProPublica has been chronicling how weaknesses in federal and state laws, as well as lax enforcement, have left patients vulnerable to damaging invasions of privacy.Within hours, a friend told Frances that a former high school pal who lived near her in northwest Indiana had shared a secret that only her family and a former boyfriend knew, she later said.
"My heart fell to my stomach," said Frances, a dental assistant in her late 20s who asked that her last name not be used. "I started crying immediately."
The Facebook poster was a patient care technician at the local hospital where Frances was treated, but the two were no longer friends.
Frances complained to a nursing supervisor at the hospital, which sent her a letter of apology in March 2014. "Please know that we take these types of situations very seriously," the letter said. "We did take action in accordance with our policies and procedures," although it did not specify what had been done.
Under the federal law known as HIPAA, it's illegal for health care providers to share patients' treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.
The bulk of the government's enforcement — and the public's attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.
As Frances discovered, it's often little-noticed smaller-scale violations of medical privacy — the ones that affect only one or two people — that inflict the most harm.
Driven by personal animus, jealousy or a desire for retribution, small breaches involving sensitive health details are spurring disputes and legal battles across the country:
In Tampa, Florida, a nurse snooped in the medical records of her nephew's partner, learned that she had delivered a baby and had put the child up for adoption. She gave a printout to another family member, and the secret was announced at a family funeral in 2013, the Tampa Bay Times reported. The niece complained to the hospital; the nurse admitted what she did, was fired and relinquished her Florida nursing license.
A New Jersey woman sued a local hospital this fall, alleging that one of its employees shared details about her 11-year-old son's attempted suicide with people at his school. The boy was subsequently "bullied by his peers, called names and made fun of," her lawsuit says.
And in South Carolina, prosecutors allege that lawyers were illegally given information from the state's prescription drug monitoring program database to gain an edge in family court cases. A pharmacist and drug screener were indicted in August for conspiring to violate the rules governing the database; the pharmacist also was accused of disclosing data on prescriptions for controlled substances. The men have pleaded not guilty.
Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, it typically settles for pledges to fix any problems and issues reminders of what the Health Insurance Portability and Accountability Act requires. It doesn't even tell the public which health providers have reported small breaches — or how many.
Tami Matteson, a California high school teacher, complained to the agency in September 2013 after learning that her ex-husband's new wife, who worked as a medical records clerk at the local hospital, had looked at her records more than a dozen times over three years. It turned out the worker also snooped in other people's records, too.
But OCR decided not to sanction Northern Inyo Hospital after it terminated the clerk, sent privacy reminders to staff, increased its audits and instituted new policies. The hospital's compliance officer declined to comment to ProPublica but said in a court filing that the incident may have caused patients to lose confidence in the rural hospital.
Even though the clerk lost her job and pleaded guilty to a misdemeanor criminal charge, and even though the hospital paid Matteson $25,000 to resolve her legal claim, she said she still can't get over what happened. It has undermined her trust in doctors and the entire medical establishment, she said.
"HIPAA did nothing for me — not one thing," Matteson said. "I no longer can go to the doctor and feel safe or comfortable."
Asked about some of the privacy violations highlighted in this report, OCR Director Jocelyn Samuels called them "heartbreaking stories" and "the kinds of harm that HIPAA is intended to address."
She insisted her agency isn't afraid to pursue formal sanctions when they are warranted, but said its primary role is helping health providers to follow the law. "Our preference is always to promote voluntary compliance," Samuels said.
For patients, Samuels' agency is usually the only place they can seek vindication. HIPAA does not give people the right to sue for damages if their privacy is violated. Patients who seek legal redress must find another cause of action, which is easier in some states than others.
After being attacked on Facebook, Frances contacted Indianapolis lawyer Neal Eggeson. He had won jury verdicts for people whose medical information was improperly disclosed. Eggeson contacted the hospital and, without filing suit, secured a confidential settlement for Frances. (He asked that the facility not be named in this story.) Frances' former friend no longer works there, she said.
Frances said she still hasn't fully recovered. She sees a therapist and has a hard time trusting others.
"It's hard to even still deal with it," she said. "I'll spend that extra gas money to go into another city to do grocery shopping or stuff like that just so I don't have to see anybody from around the neighborhood."
From insurance defense to privacy offense
Eggeson, a litigator, was defending insurance companies in car accident cases when a "friend of a friend of a friend" referred a young man to him. The man, who is HIV positive, had been sued over a $326 debt by the medical group that had been treating him. The group's court filing gave the man's name, home address, Social Security number and date of birth — and included a billing statement containing the phrase "Last Diagnosis: HIV.""His first concern was getting the court record sealed, more than anything else," Eggeson said. "I don't think he had any designs or visions beyond that."
A jury awarded the man $1.25 million.
After that victory, Eggeson represented Abigail Hinchy, who alleged that a Walgreens pharmacist had snooped in her prescription records and shared the information with the father of Hinchy's child (the man was dating and later married the pharmacist). Among the data shared: Hinchy had stopped taking birth control pills shortly before she became pregnant. A jury ordered Walgreens and the pharmacist to pay Hinchy $1.44 million.
A state appeals court upheld the award last year, saying trial evidence showed the man used Hinchy's information to berate her for "getting pregnant on purpose" and extorted her "by threatening to release the details of her prescription usage to her family unless she abandoned her paternity lawsuit."
A copy of Walgreens' check is framed on the wall of Eggeson's home office, not far from his life-sized Batman costume and Star Wars lightsabers.
In 2008, Eggeson stopped handling insurance work altogether to devote himself to privacy cases.
"The vast majority of people who come through my door honestly are upset that no one has stepped up to the plate and said that what happened to you was wrong," he said. "If the health care provider isn't going to give them that satisfaction, then maybe a jury will."
Among Eggeson's current clients is a couple who claim that when their son was in an ATV accident this August, a hospital worker posted a comment on Facebook before the hospital had told them the teen had died. Panicked relatives who saw the post began calling his parents for updates, adding stress to an already wrenching time.
"It wouldn't have changed the outcome," said John Stuck, the boy's father, "but just the feeling of what in the heck, what do they know that we don't, that's what freaked me out I think the most."
Eggeson said he's handling about a dozen cases. He turns away far more, mostly because he's a solo practitioner with limited bandwidth and isn't licensed in other states.
He shared a 17-page list of the calls and emails he's received since mid-2013, including a sentence or two about each but no identifying information. Among them: A Massachusetts woman whose ex-sister-in-law accessed the patient's infectious disease records, told relatives and posted it on Twitter, and a whistleblower at the U.S. Department of Veterans Affairs who contends her own medical records were accessed hundreds of times in retaliation.
When Eggeson files lawsuits, he argues that privacy breaches amount to medical malpractice.
"My argument has been that protecting the confidentiality of your protected health information, protecting your privacy, is part of what it is to be a doctor," he said. "It's part of your oath, it's part of your duty."
While Indiana courts have been receptive to such arguments, courts in Ohio, Minnesota and other states have ruled that health providers are not liable for the actions of workers who snoop in medical records outside the scope of their jobs.
A federal court in New York rejected a claim against the Guthrie Clinic, where a nurse accessed records of a man being treated for an STD after recognizing him as her sister-in-law's boyfriend.
While the man was awaiting treatment, the nurse sent at least six text messages to her sister-in-law informing her of his condition. The man, identified in court records as John Doe, complained to the clinic's administrator and the nurse was fired, but a judge ruled the clinic couldn't be held responsible for her actions.
"There is no evidence or allegation that [the nurse] took such steps on behalf of the clinic, or with the clinic's authorization," U.S. District Judge Michael Telesca wrote in 2012, dismissing the case. A federal appeals court upheld the ruling.
This summer, a Los Angeles jury ruled against a patient who sued UCLA and the Regents of the University of California after a romantic rival accessed and shared her medical records. The rival was a temporary worker in the office of a private practice physician affiliated with UCLA's Santa Monica hospital. The doctor acknowledged improperly sharing his password and settled his part of the lawsuit.
UCLA maintained that it had taken adequate steps to protect patient privacy and that it should not be held liable for doctors and employees who break the rules. "We are pleased that the jury recognized that UCLA Health System's policies concerning electronic medical records strike the right balance between protecting patient privacy and providing our patients with world-class medical care," it said in a statement after the verdict. UCLA declined further comment.
J. Bernard Alexander III, the plaintiff's lawyer, said UCLA's privacy protections weren't enough to catch violators unless patients complained. "If you aren't checking to find out if there was a breach, you aren't going to find it."
Eggeson said it's distressing that more states aren't like Indiana.
"Privacy protections should be the same regardless of what state you're in," he said. "There is something wrong with an employer providing the means, providing the access, and providing the tools by which an employee can commit this crime and then being able to hold up their hands and say, ‘It's not our fault.'"
Small breaches get less attention
The vast majority of the Office for Civil Rights' enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR's website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.
Several massive breaches have come to light this year: In February, Anthem Inc. disclosed that hackers had accessed records of nearly 80 million people. The following month, Premera Blue Cross, based in the Pacific Northwest, disclosed that a similar cyberattack had exposed the records of some 11 million people.
OCR is investigating these cases — and similar ones — though the companies say there's been no evidence that victims' data has been shared or exploited.
Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.
Organizations only have to report them to OCR once a year. Even then, the agency doesn't post them online and HHS has rejected requests under the Freedom of Information Act for information about them.
HHS is supposed to submit annual reports to Congress about the number and nature of medical privacy breaches and the actions it has taken in response. But the department actually submits such reports every two years and its most recent one covered 2011 and 2012. OCR says another report will be coming soon.
Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.
The agency has levied only a few fines for HIPAA violations that involved a small numbers of people. Among them: In 2008, UCLA Health System agreed to pay $865,500 for failing to protect the privacy of two celebrity patients. And in 2013, Shasta Regional Medical Center in California paid $275,000 for sharing medical information with news organizations and employees about a patient who was featured in a news article alleging potential Medicare fraud.
In September, the HHS inspector general issued a pair of reports that criticized the Office for Civil Rights, including its handling of small breaches. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.
"OCR does not record that information and therefore it's not available for staff to be able to look over time" for repeat offenders, said Blaine Collins, regional inspector general for evaluation and inspections in San Francisco. "Boy, that's critical for monitoring and oversight."
Samuels said that her agency is implementing the inspector general's recommendations to improve oversight. "We are constantly looking for ways to better serve the public and improve our operations," she said.
‘An act of vengeance and retaliation'
Peter Brabeck, a 73-year-old retired petrophysicist who worked for the oil giant BP, turned to OCR in September 2011 when he found himself in the midst of a nightmare.It began a year earlier when Brabeck's brother complained to the Medical Board of California that Dr. Steven Mangar, a pain doctor in Salinas, California, had overprescribed controlled substances to Peter. The medical board accused Mangar of prescribing drugs without examining Peter Brabeck and sought to take disciplinary action against his license.
Mangar reacted by hiring a private investigator to dig up dirt on Brabeck — and gave the investigator all of Brabeck's medical records. When Mangar refused to pay the investigator, he approached Brabeck's brother and showed him the records. The investigator then offered to sell the records to Peter Brabeck, who within days complained to the Office for Civil Rights.
"Here we have not only a gross violation of [HIPAA] laws protecting the confidentiality of every patient's medical history, but in my mind far worse," Brabeck wrote in his complaint. "Here is a deliberate attempt, born of vengeance, with malice aforethought to inflict great harm on his own patient."
Two years later, the Office for Civil Rights wrote back, saying it was "pleased to inform" Brabeck that his complaint has been resolved. It said it had provided Mangar's clinic, the Pacific Pain Care Institute, with guidance on how to comply with privacy rules. It said Mangar had acknowledged that he "impermissibly disclosed" Brabeck's personal health information to the private investigator.
OCR also said that Mangar had agreed to provide Brabeck with free credit monitoring.
"Based on the foregoing, OCR is closing this case without further action," the letter said.
Brabeck, who lives near Carmel, California, said he never actually received the credit monitoring. More importantly, he was left with a sense that the agency didn't take his case seriously.
"I made very clear in my letter that it was an act of vengeance and retaliation," he said. "That's why I was so surprised at how lightly they dismissed the whole thing."
Even the private investigator who asked Brabeck's brother for money was surprised by the outcome of the case.
"In all my years in the business, I never experienced anything like that where a complete file was turned over," said Dan Taubman, who said he is still owed $6,800 by Mangar. "He didn't care who he hurt or burned."
Mangar did not return calls for comment. California's medical board placed his license on probation in 2012 and is now seeking to revoke it, saying he violated his probation and provided negligent care to other patients. Earlier this year, federal and state investigators served search warrants at Mangar's office and home. Monterey County Deputy District Attorney Amy Patterson said Brabeck's concerns are part of a much broader investigation that she could not discuss because it is ongoing.
OCR director Samuels said Brabeck's case pre-dated her arrival at the agency. But she said it was consistent with "our general principles" in terms of the nature of the injury, the number of individuals affected and a provider's lack of prior HIPAA violations. She also said the doctor agreed to apologize, which "can be very powerful in terms of remedying the damage that has been done."
Brabeck said he didn't get an apology: "No. Absolutely not."
Warning employees before they snoop
Cedars-Sinai Medical Center in Los Angeles is trying to stop privacy breaches before they happen. Known for its celebrity clientele — its board of directors includes Barbra Streisand and Steven Spielberg — Cedars-Sinai has dealt repeatedly with employees trying to access records they have no business seeing.In July 2013, the hospital fired six people who inappropriately accessed patient records, reportedly including those of reality TV star Kim Kardashian, who had given birth at the hospital to her daughter with rapper Kanye West.
The hospital fired three employees and took corrective action against three other people last year for inappropriately accessing patient information; it terminated two more workers this year, spokesman Richard Elbaum said.
Like other hospitals, Cedars-Sinai's electronic medical records system has a feature known as "break the glass." When an employee attempts to access information on high-profile patients, the system asks for a reason and requires the employee to re-enter his or her password.
That generally works, but such a warning isn't in place for every record, in part because officials in the information security world fear it would be ignored if it were seen merely as a second password requirement. For typical patients, it generally takes a complaint to trigger a review of the transaction log to see if anybody inappropriately accessed a record.
Cedars-Sinai is working with security specialists to augment its first layer of protection. Its goal: To create a warning system that generates automatic alerts based on pattern recognition, akin to what credit-card companies use to flag suspicious transactions.
The system will sift through the hospital network's traffic, looking for unusual activity. It might flag an obstetrician/gynecologist looking at the records of male patients or a staff member who looks at six medical records in quick succession. It might notice a staff member looking at the records of a neighbor. Or it might recognize that one staffer has looked at 20,000 records in a month when peers only viewed 3,000.
"Maybe they deserve a raise — or something is awry," said Darren Dworkin, chief information officer at Cedars-Sinai Health System.
Cedars-Sinai, the largest acute-care hospital in California, hopes to make the system live within the next six months. Cedars-Sinai and Dworkin have received a patent on the idea.
"Rather than have to report to a patient I'm sorry this happened, wouldn't it be better if we had real-time tools that asked you, ‘Are you sure you want to do this?' Maybe sometimes that gentle reminder can stop something before it happens," Dworkin said.
One day, Dworkin said, such technology could become routine in health care — and organizations could be fined for not using it. "I can see a time when this stuff becomes the standard operating procedure," he said. "I hope it does."
NPR reporter Alison Kodjak contributed to this report.
This story is part of a yearlong examination into how secure medical privacy is. Has your medical privacy been compromised? Help ProPublica investigate by filling out a short questionnaire. You can also read other stories in our Policing Patient Privacy series.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.