Middle Tennessee doctor violates federal HIPAA law

WSMV4 Investigates finds out what patients can do if their medical information is made public
A Middle Tennessee woman is shocked after a doctor shared her dad's personal information on a social media post.
Published: Oct. 17, 2022 at 7:40 PM EDT
Email This Link
Share on Pinterest
Share on LinkedIn

NASHVILLE, Tenn. (WSMV) - When we all go to the doctor, we trust that our personal information is kept safe, and under the federal law known as HIPAA, it’s supposed to be.

You can only imagine the shock a Middle Tennessee woman had when she found out her father’s personal information was shared on social media.

As WSMV4 Investigates found out, once out there, there’s no telling who has it and what’s being done with it.

What started with a scan of a suspicious spot resulted in a procedure at Maury Regional Medical Center to confirm a Stage 1 lung cancer diagnosis for Tisha Russell’s father.

“I just couldn’t believe this was happening. He’s all we have left. He’s our backbone,” Russell said.

She said the shocking news became even more upsetting just a few days later.

“Dr. Freels had taken pictures while he was doing the procedure and posted them on social media,” Russell said.

The post from Dr. Jon Freels, a pulmonologist at Maury Regional, not only talked about the procedure, but the picture had sensitive information on it.

That information included his name, date of birth and an account number.

And that post was shared by at least one other person.

“What did you think when you saw that post?” WSMV Investigative Reporter asked.

“I was stunned. I didn’t believe it,” Russell said.

Now, Russell is worried about her father’s personal information out there on the web.

“Your job is to protect you patients. If you can’t trust your doctor to protect your privacy, including your name and your account number. Who can you trust?” Russell said.

“Nothing is ever really taken down off the internet,” Scott Augenbaum, a retired FBI agent with expertise in cyber-crime prevention, said.

Augenbaum said those few pieces of information is enough for someone to steal your identity.

“Once that information is out there in the hands, the cyber criminals can get that information, open up credit cards in your name and really cause a lot of havoc,” Augenbaum said.

Maury Regional Medical Center sent an apology letter. A supervisor saying she regrets the incident happened and as soon as they became aware of the post, it was immediately taken down.

However, the hospital would not tell WSMV4 Investigates whether Freels was disciplined for violating HIPAA laws.

The hospital did follow proper protocol, which is to report incidents like this to Health and Human Services.

Freels denied WSMV4 Investigates’ request for an interview about the incident, but in an email apologized to Russell’s family, saying in part, “I deeply regret that in sharing with colleagues’ information about the progressive technology we are using to better serve our patients, I inadvertently included patient information.”

“This is a mistake that shouldn’t have happened. This can happen to anybody,” Russell said.

The Russell family wants this to be a warning so others can be proactive and take steps now to protect their personal information.

Experts said what you can do now is freeze your credit so that if something like this does happen, that information can’t be used to steal your identity.

WSMV4 Investigates also spoke with local attorneys who gave good information and advice on your rights as a patient if HIPAA is violated and what you can and should do.

According to local attorneys, there is no ability for a patient to sue for this sort of violation under federal law, but Tennesseans can bring a lawsuit under the state’s Patient’s Privacy Protection Act if the patient can prove they suffered damages from the exposure of their private health information.

You also want to be sure you file a formal complaint with the U.S. Department of Health and Human Services.

Detailed information about disciplinary actions taken by Tennessee’s Health Professional Boards is available on the Tennessee Department of Health website. You can search licensure fields on the page to enter the name of the person. When the license information comes up, click either “disciplinary action” or “adverse licensure action” in the right column.

WSMV4 Investigates found out complaints against health care providers are confidential in Tennessee unless and until a complaint leads to the filing of formal disciplinary charges by a Health Professional Board.

The Russell family has created a GoFundMe account to help pay expenses surrounding his health and transportation expenses.