By Veronica Duff,
*Securely HERS Cybersecurity Podcast Host

Republican attorney generals of 19 states want access to patients’ medical records.

MSNBC news article reported a few weeks ago that Republican attorneys general of 19 states have sent a letter to the Biden administration demanding access to the private medical records of citizens who cross state lines to access abortion services or gender-affirming care in states where such care is legal¹.

The June 16 letter came in response to a proposed amendment to the Health Insurance Portability and Accountability Act (HIPAA), which would shield the private medical records of people seeking reproductive healthcare services in states where those services are legal from officials in their home states where those services have been banned¹.

The rule change is part of the Biden administration’s efforts to ensure continued access to abortions services and other reproductive healthcare in states that have outlawed abortion following the Supreme Court’s 2022 decision in Dobbs vs. Jackson Women’s Health Organization, which struck down the constitutional right to abortion in the U.S.¹.

According to a report on medical identity theft from 2019, medical records are worth up to $250 on the Dark Web¹. Their price has dropped in recent years due to the increased number of data breaches in the healthcare sector and the growing availability of stolen medical records¹.

Why State Government Agencies Should Not Access Medical Records

Medical records contain sensitive and personal information about a person’s health, diagnosis, treatment, medications, and more. They are supposed to be protected by federal and state laws that limit who can access them and for what purposes. However, some state government agencies may have the right to access medical records without the consent or knowledge of the patients. This poses a serious threat to the privacy, civil rights, and human rights of millions of Americans.

The Risks of Government Access to Medical Records

One of the main risks of government access to medical records is the potential for data breaches. Data breaches are incidents where unauthorized parties gain access to confidential information, often through hacking, phishing, malware, or human error. Data breaches can expose medical records to identity thieves, fraudsters, hackers, or other malicious actors who can use them for various purposes, such as blackmail, extortion, discrimination, or harm.

The healthcare sector is one of the most targeted and vulnerable sectors for data breaches. According to HIPAA Journal, there were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records¹. Some of the largest data breaches involved state government agencies or entities that work with them, such as:

• Scripps Health, a California-based health system that suffered a ransomware attack in May 2021 that affected 1.2 million records¹. The attack caused losses in excess of $113 million due to lost business and clean-up costs¹. There are also several lawsuits outstanding and there could be regulatory fines¹.
• Prospect Medical Holdings, a hospital chain that operates in six states and was hit by a cyberattack in August 2023 that compromised the data of 4.5 million patients². The attack disrupted the operations of several hospitals and health facilities and forced some emergency departments to close temporarily².
• Florida Healthy Kids Corporation, a state agency that administers health insurance programs for children and was breached by hackers in February 2021 that exposed the data of 3.5 million enrollees³. The hackers accessed names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, insurance information, and medical conditions³.

These data breaches show that state government agencies are not immune to cyberattacks and may not have adequate security measures to protect medical records. Moreover, they show that state government agencies may have access to more medical records than necessary or appropriate for their functions. For example, why would a state agency that provides health insurance for children need to access the medical conditions of millions of enrollees?

Another risk of government access to medical records is the potential for misuse or abuse of the information. Government agencies may use medical records for purposes other than those intended or authorized by law, such as law enforcement, national security, immigration enforcement, or political agendas. For example:

• Law enforcement may access medical records to investigate crimes, identify suspects or victims, obtain evidence, or conduct surveillance⁴⁵. However, this may violate the Fourth Amendment rights of patients who have a reasonable expectation of privacy in their medical records⁴⁵. Law enforcement may also access medical records without a warrant or subpoena if they claim an emergency or exigent circumstance⁴⁵. However, this may be abused or misused to circumvent legal safeguards⁴⁵.
• National security may access medical records to prevent or respond to terrorism, espionage, or other threats⁵. However, this may infringe on the First Amendment rights of patients who have freedom of speech, association, and religion⁵. National security may also access medical records without judicial oversight or due process under the Patriot Act or other laws that grant broad powers to intelligence agencies⁵.
• Immigration enforcement may access medical records to identify or detain undocumented immigrants or asylum seekers⁶. However, this may violate the human rights of patients who have the right to health care regardless of their immigration status⁶. Immigration enforcement may also access medical records without consent or notification under state laws that require health care providers to cooperate with federal authorities⁶.
• Political agendas may access medical records to advance or oppose certain policies or candidates based on the health status or preferences of patients⁶. However, this may undermine the democratic rights of patients who have the right to vote and participate in political processes without coercion or manipulation⁶. Political agendas may also access medical records without transparency or accountability under state laws that allow health care providers to share information with law enforcement.

1. hipaajournal.com2. usatoday.com3. healthcareitnews.com4. eff.org5. cdt.org6. verywellhealth.com7. usa.gov8. usa.gov9. healthitsecurity.com10. healthitsecurity.com+8 more

These examples show that government access to medical records may not respect the privacy, civil rights, and human rights of patients. Government agencies may use medical records for purposes that are not related to health care or public health, and that may harm or discriminate against patients based on their medical information. Government agencies may also access medical records without following the legal or ethical standards that apply to health care providers or other entities that handle medical records.

The Benefits of Protecting Medical Records from Government Access

Protecting medical records from government access has many benefits for patients, health care providers, and society. Some of the benefits are:

• Privacy: Patients have the right to keep their medical information confidential and to control who can access it and for what purposes. Privacy is essential for patients to trust their health care providers and to seek the care they need without fear or embarrassment. Privacy also protects patients from identity theft, fraud, blackmail, extortion, or other harms that may result from data breaches or misuse of their medical records.
• Civil rights: Patients have the right to be treated equally and fairly by the government and to enjoy the freedoms and protections guaranteed by the Constitution. Civil rights prevent the government from accessing medical records without a warrant or subpoena, or without probable cause or reasonable suspicion. Civil rights also prevent the government from using medical records to infringe on the rights of patients to speech, association, religion, voting, or participation in political processes.
• Human rights: Patients have the right to health care and to the highest attainable standard of physical and mental health. Human rights ensure that patients have access to quality, affordable, and accessible health care services regardless of their race, ethnicity, gender, age, disability, sexual orientation, immigration status, or other factors. Human rights also ensure that patients have access to information and education about their health and well-being.
• Quality of care: Protecting medical records from government access improves the quality of care that patients receive from their health care providers. Quality of care depends on accurate, complete, and timely medical records that reflect the history, diagnosis, treatment, and outcomes of patients. Quality of care also depends on effective communication and coordination among health care providers who share relevant and necessary medical information with each other.
• Public health: Protecting medical records from government access enhances the public health of society. Public health relies on voluntary and confidential participation of patients in health care programs and research that aim to prevent, detect, treat, or cure diseases and conditions that affect the population. Public health also relies on trust and cooperation between patients and health care providers who work together to improve the health and well-being of individuals and communities.

Conclusion

Medical records are valuable and vulnerable sources of information that contain sensitive and personal details about a person’s health. State government agencies should not access medical records without the consent or knowledge of the patients, unless they have a legitimate and lawful reason to do so.

Government access to medical records poses a serious threat to the privacy, civil rights, and human rights of millions of Americans who entrust their health care providers with their medical information. Protecting medical records from government access has many benefits for patients, health care providers, and society. It ensures that patients can receive quality health care services in a confidential and respectful manner.

It also ensures that patients can exercise their freedoms and protections as citizens in a democratic society. It also ensures that patients can contribute to the public health of society by participating in health care programs and research that benefit everyone.

: Are Medical Records Private? – Verywell Health

: Law Enforcement Access | Electronic Frontier Foundation

: Law Enforcement & National Security Access to Medical Records

: State health departments | USAGov

: The 10 Biggest Healthcare Data Breaches of 2019, So Far – HealthITSecurity

: UPDATE: The 10 Biggest Healthcare Data Breaches of 2020, So Far

: 2022 Healthcare Data Breach Report – HIPAA Journal

According to the web search results, medical records exposed on the dark web can be used by hackers to commit identity theft, insurance fraud, or other malicious activities¹².

If you suspect that your medical records have been compromised, you may want to take some steps to protect yourself, such as:

• Monitor your credit reports and bank accounts for any suspicious activity or charges.
• Contact your health insurance company and medical providers to alert them of the breach and verify any claims or services in your name.
• Request a copy of your medical records and review them for any errors or inaccuracies.
• File a complaint with the Federal Trade Commission (FTC) and your state attorney general’s office.
• Consider using a dark web scan service to check if your personal information is on the dark web and get alerts if any new data is found¹.

: Dark Web Scan: Monitor the Dark Web for Leaked Information- IDStrong

: Hackers are stealing millions of medical records – CBS News

** Portions of this article were researched and written using AI technology and tools.