Last week, reporting from Jessica Valenti revealed Heartbeat International, the country’s largest network of unlicensed pregnancy clinics, has been sharing its’ clients’ private health information, seemingly without regard for client privacy.
From Valenti’s reporting: “One of the videos provided to [Abortion, Every Day] shows a member of Heartbeat International’s sales team demonstrating how to use Next Level CMS, the organization’s data collection software. In it, viewers are shown the full names of thirteen women who visited the Unexpected Pregnancy Center in New Iberia, Louisiana, along with information about their due date, last menstrual period, and whether they were given an ultrasound or pregnancy test. In another section of the video, there’s even a map visible that shows where each client lives.”
It’s unclear how long that information was exposed, but the breach goes well beyond one video. Valenti continues:
“This training video shows that Heartbeat isn’t encrypting or de-identifying client data, and that they’re allowing non-medical corporate employees like Reeves—not just local affiliate staff—to see people’s confidential health information. In fact, another video provided to AED indicates that Reeves has access to client data at all Heartbeat CPCs, not just the one in Louisiana. There’s a list of alphabetically ordered centers in the video, with pagination links to even more—suggesting Reeves can retrieve data from any Heartbeat affiliate using the software. It’s reasonable to assume that other corporate employees and volunteers might have similar privileges.”
Unlicensed pregnancy clinics, also known as crisis pregnancy centers, often cite “HIPAA compliance” to convey that the information their clients provide is secure. In response to an inquiry from NBC reporter Abigail Brooks, an official with the US Department of Health and Human Services stated – “Generally, a crisis pregnancy center that provides services for free and does not bill health insurance does not meet the definition of a covered entity under HIPAA and therefore the HIPAA Privacy, Security, and Breach Notification Rules (‘HIPAA Rules’) do not apply.” This training video, which, again, was public to anyone with a simple Google search, shows how little the largest network of unlicensed pregnancy centers is doing to protect their clients’ personal health information and safety.
Last month, watchdog group Campaign for Accountability called on attorneys general in five states to investigate the deceptive privacy practices of these unlicensed pregnancy clinics. These attorneys general must act swiftly to ensure the protection of women’s sensitive health information.