Small Violations Of Medical Privacy Can Hurt Patients And Erode Trust : Shots - Health News Breaches that expose the health details of just a patient or two are proliferating nationwide. Regulators focus on larger privacy breaches and rarely take action on small ones, despite their harm.
NPR logo

ProPublica's Charles Ornstein talks about data breaches

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Small Violations Of Medical Privacy Can Hurt Patients And Erode Trust

Alison Kodjak reports on data breaches

  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">


You know, it turns out your medical privacy is not nearly as secure as you might think it is. The investigative news organization ProPublica has been looking at this for the last year or so. And that is exactly what they have found. And joining me now from our New York bureau is ProPublica senior reporter Charles Ornstein. Hey, Charles.


GREENE: So I want to talk about what exactly you have been looking into because, I mean, some of what you've written here is shocking. I mean, the government is getting tens of thousands of reports of medical privacy being violated. What exactly are these violations?

ORNSTEIN: Well, so the big headlines are, of course, that these major insurance companies have been breached, and tens of millions of people have had their records exposed. But...

GREENE: These are some of the big instances we heard about - I mean, like, Anthem and these big insurance companies, the hacks.

ORNSTEIN: Exactly, exactly. But those have left a lot of information exposed but not really exploited. Where the real harm for patients has come in is these much smaller privacy breaches.

GREENE: Things that might have been going on whether there were these hacks or not. I mean, these are incidences, it looks like, where someone just had access to medical information and did something with it. I'm thinking of this horrifying example in your piece where this couple, their son died in an ATV accident. And a hospital worker just posted that on Facebook before the parents even found out.

ORNSTEIN: That's right. Back in August, this Indiana couple, their son was in an ATV accident and was taken to the hospital. And they started getting panicked calls from relatives who had read on Facebook their condolences from a hospital worker. And they hadn't even been told yet.

GREENE: There was another story about a woman who accused a Walgreens pharmacist of letting out some of her medical information. Tell me about that.

ORNSTEIN: Well, this woman started getting letters and texts from her ex-boyfriend, the father of her child, saying that you stopped taking birth control pills. And she wondered how this happened. She was able to eventually discover that the woman who was dating the man subsequently was a Walgreens pharmacist and then was able to discover that she had looked in her records and shared this information. And the father of her child tried to use this to blackmail her into not filing a paternity lawsuit.

GREENE: This is a woman who worked at Walgreens who was dating a guy and said, hey, this woman who got pregnant with your child, she had stopped taking birth control. I know that because I looked at her medical records.

ORNSTEIN: Absolutely, that's what was proven in this case.

GREENE: So what happens when these cases are reported? I mean, are there lawsuits? Are the lawsuits successful?

ORNSTEIN: So there's an organization, a regulatory body called the Office for Civil Rights within the U.S. Department of Health and Human Services. They have not really taken very major regulatory action, imposed fines against institutions. And so some people have sued. And they've had mixed success. In Indiana, there have been a couple verdicts against companies for not protecting records. But in other states, the courts have sort of closed the courthouse doors to these sort of situations.

GREENE: The lesson here, maybe when we hear about these data breaches, I mean, those are big events but that we should be focusing on some of these one-time things and thinking about other ways that our medical information can be exploited I guess.

ORNSTEIN: I think the lesson is even though you sign all this paperwork and you feel that your information is secure and organizations are taking all these steps to protect it, in fact, this is a really weak ecosystem that is dependent on people honoring their obligations and their ethics. But too often it's really easy to find out information and share it. And sadly, that's a fact of life. And we just have to sort of anticipate that as we seek medical care.

GREENE: Charles, thanks, as always.

ORNSTEIN: Thanks, David.

GREENE: That's Charles Ornstein of ProPublica. You can read his article at and also at And you can also hear much more about this tonight on All Things Considered.

Copyright © 2015 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.