(WXYZ) — When a woman went to Beaumont Hospital in Royal Oak for treatment after a sexual assault, she never thought her personal medical information would end up on social media.
“I felt so betrayed. I felt the lowest I ever felt in my life," said the woman, who asked that we not use her name or show her face on air.
It was as if she was reliving her 2016 assault all over again, when her private medical history landed in a Snapchat video almost two years later, in May of 2018.
Not only does it show private information from her July 2016 visit to Beaumont, legally known as Botsford General Hospital, it lists a diagnosis she said was a result of rape.
“I was actually diagnosed with herpes from it, from the incident. And that was posted everywhere. I was like how did this happen, did the doctor give it to her? Like how does this even happen?” she said.
According to a civil lawsuit against Botsford General Hospital, Advanced Cardiovascular Health in Livonia, and a former Advanced Cardiovascular employee, the person responsible for leaking the private information is the victim's former friend, who worked at Advanced Cardiovascular; a place the plaintiff had never been a patient.
"We got into a miscommunication and just misunderstanding about us with a guy and she thought something was going on that wasn’t. And then it caused her with the jealously and everything, to access my medical records from her job and then post them online," the plaintiff explained.
Her attorneys said the info should have never been accessible to the employee, a medical assistant, in the first place.
"My client had never been a patient there. My client had never scheduled an appointment with this facility. My client didn’t have any medical problems that this facility treated," said attorney Jim Rasor with the Rasor Law Firm in Royal Oak.
The lawsuit claims the employee “accessed the plaintiff’s medical records through Botsford’s on-line medical record system” while working as a medical assistant at Advanced Cardiovascular; the two facilities are affiliated according to the suit, and share access to online medical records.
“It’s like the security guard being asleep in the records room," Rasor told Action News.
“There is something inherently wrong when somebody who is not even treated at that facility, is able to go into their medical records system, access highly sensitive medical records, and post them all over the Internet without any accountability," said Brandon Wolfe, an Associated with Rasor Law Firm also representing the plaintiff.
When the victim reached out to Beaumont Health’s trust line about the privacy breach, she received a letter from the health system.
It confirms that her medical records were accessed on March and April of 2018, and contained information from her July 2016 visit to Beaumont in Royal Oak, as well as some lab results.
The letter goes on to say that the employee responsible “no longer has access to the Beaumont Health medical record" and that the employee has been terminated from employment at Beaumont Health.
When 7 Action News began digging into the story, a Beaumont spokesperson said the defendant was never employed by Beaumont, and that there was an error in that portion of the letter to the plaintiff.
Mark Geary, Director of External Communications and Media Relations for Beaumont, released the following statement to Action News:
"We use a multifaceted approach to protect patient information. If we discover a patient’s medical record has been inappropriately accessed, we take immediate remedial action, including notifying the patient in writing.
Based upon their job role, health care professionals may be granted limited access to Beaumont patient medical records. [The defendant] was employed by Advanced Cardiovascular Health Specialists (ACHS). She was not a Beaumont employee. To facilitate patient care, Beaumont provides ACHS with limited access to Beaumont’s electronic medical record system.
When we learned of [the defendant's] misuse, we immediately terminated her access to our medical records system and ACHS terminated her employment. We also notified the patient in writing and reported the incident to the Office of Civil Rights."
Action News reached out to Advanced Cardiovascular Health Specialists, their office declined to comment.
Attorney Rolf Lowe with the Wachler Law Firm specializes in the Health Insurance Portability Accountability Act, or HIPAA, designed to protect patient privacy.
He’s not familiar with this specific case, but told Action News digital patient records are often accessible through out-patient facilities associated with a certain hospital.
“HIPAA requires minimum amount of information necessary for someone to do their job if they are covered by HIPAA. That person unless they are involved in the day-to-day, that person’s care, really shouldn’t be looking at that information," Lowe said.
The woman’s attorneys claim Botsford General failed to uphold those standards. They’re suing for negligence.
The lawsuit states: "Defendants [Botsford General Hospital, Advanced Cardiovascular Health] failed to adequately train and supervise Defendant....despite that it knew or should have known her propensity to engage in the aforementioned conduct." It goes on to state that the individual defendant accused of leaking the records "would have regular access to medical files and documents that she had no involvement with medically."
The victim told 7 Action News she had to change phone numbers and even move out-of-state to try and start over.
“The trust was just gone. I was like how could this happen? You go to a doctor and you open up and you think that you can trust them. That’s like the one person you’re taught to trust," she said.
Her attorneys want a jury trial, and in additional to seeking compensation on her behalf, are considering taking criminal legal action against the individual accused of leaking the records.
“There is a continuing duty to have your medical records safeguarded," Wolfe told Action News.
Lowe said as a patient, you have the right to know where your records go and how many other facilities have access to an online records portal; it's something you can request at your doctor's office if you're concerned.