Your Medical Records May Not Be Private: ABC News Investigation

Sept. 13, 2012 — -- You walk into the doctor's office. They lead you to a private room and shut the door. The nurse enters writes on a chart (or maybe an iPad) and shuts the door. A doctor enters and shuts the door.

It all screams of privacy -- privacy you expect.

But what if you were to find out those medical records containing your private history, family history and medication history weren't so private after all?

Check out these tips and more at the end of this article for information on how you can protect your health records.

Julie, a lawyer from Boston, discovered that her sensitive health information was available to anyone who worked at the hospital.

"My expectation was that my records were going to be private, especially my therapy records," Julie said. "And if another doctor wanted to see my records, they'd ask me and then I'd give my authorization for them to view my records if they needed to see them."

Julie, who requested her last name not be used, was diagnosed with bipolar disorder in her late teens and began seeing a psychiatrist in 2002 after speaking with her primary care physician.

She, like millions of Americans, thought her conversations with her psychiatrist were confidential.

"I thought I had protection under HIPAA (the Health Insurance Portability and Accountability Act) for my psychotherapy notes to be private and I thought only my psychiatrist could see those," the 42-year-old said, adding that she noticed over the years her physician started entering them electronically.

What she didn't realize was that her physician's notes could be accessed by doctors and other health-care providers who worked in the same health-care system (6,000 doctors and nine affiliated hospitals) to have access -- information she learned after going to see an on-call physician for a stomach issue and realizing he knew about intimate relationship information only disclosed to her psychiatrist.

Concerned, she requested a copy of her medical records from the health care system.

Within those records she saw every note, every meeting, every conversation she had with her psychiatrist.

"It was pretty traumatic because I felt that, you know, this man read without -- against my wishes -- without my consent," Julie said. "He read private information that I disclosed to a therapist that I didn't even tell my best friends about."

Medical Records Online

And while most hospitals have rules about who may access medical records, compliance for the most part is not strictly regulated.

In fact, an ABC News investigation found that often medical information is so unprotected, millions of records can be bought online. Because so many people have access, the entire system is vulnerable to theft, experts told ABC News.

To see exactly how easy it was to find medical records online, ABC News enlisted the help of IT specialist Greg Porter, a consultant with Allegheny Digital.

"This isn't very sophisticated," Porter said. "If you can use a Web browser and you can search to www.google.com, you can begin to try and obtain some of this information."

With two clicks of a mouse, Porter found somebody willing to sell a data dump of diabetic patients with information including their names, birth dates and who their insurance provider was, among other details. Another seller offered 100,000 records of customers who purchased health insurance in the last three to 12 months.