“PPL WORLD WIDE,” the Facebook post shouted, using text-speak for the word “people.” “FRANCES … IS HPV POSITIVE!”
The public missive from January 2014 gave Frances’ full name, along with the revelation that she had human papillomavirus, a sexually transmitted disease that can cause genital warts and cancer. It also included her date of birth and ended with a plea to friends: “PLZ HELP EXPOSE THIS HOE!”
Within hours, a friend told Frances that a former high school pal who lived near her in northwest Indiana had shared a secret that only her family and a former boyfriend knew, she later said.
“My heart fell to my stomach,” said Frances, a dental assistant in her late 20s who asked that her last name not be used. “I started crying immediately.”
The Facebook poster was a patient care technician at the local hospital where Frances was treated, but the two were no longer friends.
Frances complained to a nursing supervisor at the hospital, which sent her a letter of apology in March 2014. “Please know that we take these types of situations very seriously,” the letter said. “We did take action in accordance with our policies and procedures,” although it did not specify what had been done.
Under the federal law known as HIPAA, it’s illegal for health care providers to share patients’ treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.
The bulk of the government’s enforcement — and the public’s attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.