While some insurance companies might not seem like a target for the sales because people may assume they have the information, many health insurance companies try to purchase an individual's past health information to determine the premium to charge and whether to even provide coverage, multiple sources said.
Some hospitals use the information to help target expensive and new treatments via direct mail, sources added, and are also buying the data to try and gain a better picture of local residents.
"They've had to comply with HIPAA legislation and the HIPAA privacy act since 2004," Porter said. "And [they've also had to deal with] the HIPAA security rule, we're talking about PHI (personal health information), and digital format since 2005. So this is coming up on seven years and we're still seeing the escalation of these breaches."
Widespread Data Breaches
According to the HHS Health Information Privacy Tool, there were at least 78 breaches so far this year affecting 500 or more individuals, many affecting thousands, some tens of thousands.
Known to those in the health IT world as the "Wall of Shame," the HHS site lists more than 21 million individuals who have been victims to date.
The Privacy Rights Clearinghouse found more than 130 breaches so far in 2012 -- breaches affecting any number of individuals.
Its website notes a breach affecting 102 individuals occurred recently and that "an employee was fired after an investigation revealed that patient records were accessed without legitimate cause."
"It does certainly speak to a lot of organizations struggling with how to effectively assess risk to medical records and how to adequately protect it," Porter said.
In the meantime, for Julie and Americans throughout the country, that is the way the system works.
However, Peel believes ways to fix the privacy vulnerabilities are available.
"Technologies exist today to allow you to selectively share parts of your record that are relevant on a need-to-know basis with your other physicians and no one else, but we don't have those technologies in wide use," she said.
For Julie, privacy is a battle she continues to fight.
"I asked … please restrict the records and of course they said 'No,'" she said.
"Let me also assure you that our physicians and other staff access information on a strictly 'need to know' basis and as such, we do not restrict access to clinical information from any department or physician," the hospital told her. "I take your concerns very seriously and understand your need for privacy with your psychiatric records. Sometimes it can be a challenge to balance access to records for patient care purposes with the need for privacy."
Since discovering her records were available to the whole health system, Julie has stopped seeking care out of concerns for her privacy.
In a response to ABC News, that hospital system, which ABC News is not naming, said: "Sharing of information among providers who are treating the same patient is in compliance with federal law and is described in the privacy notice given to every patient at the beginning of treatment by the hospital.
"The sequestering of critical mental health data in electronic health records relevant to the patient's safety (e.g., Psychosis, addiction, suicidality) may pose hazards to the patient that are no less significant than would be incurred by the sequestering of vital physical health data such the existence of drug allergies, hypertension, diabetes or a history of, cardiac arrhythmias.