Health Care Providers Brace for Post-Dobbs Onslaught
In Dobbs v. Jackson Women’s Health Organization, No. 19-1392, 597 U.S. ___, the United States Supreme Court held that states were free to ban or otherwise regulate abortion, including abortifacient contraceptives. The rationale behind Dobbs also applies to previous Supreme Court decisions restricting government regulation of other medical services like contraceptives and to other sexual behaviors for which medical records may exist. By permitting the criminalization of medical care, the court has opened the floodgates to demands for medical records by regulators, local police, attorneys general and, in states like Texas, by private citizens who are newly empowered to sue those who seek or who aid and abet both in-state and out-of-state abortion. In other states, the prescribing, transport or use of certain FDA-approved drugs has also become a crime, similarly permitting law enforcement agencies to demand and/or seize records related to such prescriptions.
By criminalizing what was heretofore a private medical procedure, these states have turned clinics, hospitals, pharmacies, labs and other providers into repositories of criminal data subject to subpoena, search warrant or compulsory production of documents or records—even across state lines. Health care providers who previously had to provide records related to billing practices and potential fraud (as well as mandatory reporting of sexual abuse, stabbings or shootings) will likely see a substantial uptick in demands for records related to fertility, miscarriages, IVF, even STDs and the like. In jurisdictions that permit abortions in cases of rape, incest or to save the life of the mother, they may similarly be compelled to produce records that corroborate the existence of such exceptions—including patient communications with psychiatrists or therapists, DNA or other lab tests, or documentation of a patient’s full medical condition to demonstrate “true” imminent harm. Treating the patient (and the doctor) not as a victim but as a criminal not only means that law enforcement will automatically be skeptical of their claims of rape or incest but makes the police an adversarial party in cases of rape or incest. In cases in which the victim is unable to consent because of age (statutory rape) the victim will be forced to provide not only the identity of their sexual partner but their age and the difference between the ages of the two at the time of the sexual contact. Health care providers will have to be prepared for a massive increase in the number (and type) of law enforcement demands not only for patient treatment information but for additional information like video surveillance of parking lots or hallways, or driver’s license scans of visitors who may be “aiding and abetting” the now-banned procedure. Physicians and other health care workers can expect their travels and practices to similarly be under scrutiny as they move from the category of medical workers to the category of potential felons. So their travel records, text messages, emails and other communications will become subject to search and seizure. EHRs will also become the subject of government scrutiny, with either providers or third-party EHR services being compelled to produce (or have those records seized) documents related to gynecological exams or miscarriages without the knowledge or consent of either the patient—or, in the case of cloud storage services, the hospital or provider. Patient portals will now become accessible to police, prosecutors, or other criminal investigators. Health care providers may have to double or triple the size of their compliance staff to deal with the additional demands for production.
In addition, the criminalization and continued politicization of health care, coupled with various state “abortion bounty” laws that reward private citizens for finding information about “illegal” abortions, create an environment where there are tremendous incentives to either create or hack into medical databases to find information about reproductive practices. In Sorrell v. IMS Health Inc., 564 U.S. 552, the Supreme Court struck down a Vermont pharmaceutical privacy law that restricted the collection and use of physician prescribing data which was being used by pharmaceutical companies to target individual doctors based on their prescribing practices. The court ruled that the manufacturers had a First Amendment right to commercially exploit the information about what these doctors were prescribing—which ultimately meant that the information had no privacy protection. In the wake of Dobbs and the bounty laws, we can expect private entities and anti-abortion advocates (or motivated or paid hackers) to attack health care information for the purposes of privately enforcing individual states’ abortion bans. In states poised to not only prohibit abortions in their own states but to criminalize travel to other states, and/or criminalize aiding and abetting travel to other states, attackers motivated by ideology (or those that are economically motivated) will likely seek to obtain records of medical procedures in states that permit abortion services, as well. Those remaining providers that deliver abortion-related services will likely also find themselves victims of cyberextortion attacks (theft and potential release of patient records), denial of service attacks, ransomware attacks, and the like. By making medicine a crime and incentivizing private citizens to enforce the criminal law, we can expect a dramatic increase in cyber-vigilantism against healthcare providers.
While health care providers will certainly be in the crosshairs, they are not alone. Big tech companies can expect both law enforcement demands for, or attackers’ attempts to obtain, records that relate to abortion or abortion services. Web searches for medical care will become targets. Maps or GPS records related to travel become police evidence. Apps that track menstrual cycles, ovulation, etc., become “smoking guns.” Chats, texts, social media postings or other communications both about abortion and about rape, sexual abuse, incest or statutory rape now become tools for law enforcement to prevent people from obtaining medical care. Even things like automated license plate readers—used by car companies to repossess cars—become tools for tracking the movements of pregnant women. Aggregated cell tower information (anonymized) can be used to identify out-of-state visitors to abortion providers, as can GPS records retrieved from the myriad apps that collect location data.
The tools available to law enforcement to investigate unlawful abortions in and out of their states are the same tools available to investigate terrorist attacks or child abductions. Subpoenas. Search warrants. Secret orders or writs. Wiretaps. Mass surveillance. Installation or activation of cameras (Ring recently revealed that they were providing Ring camera access to law enforcement without warrants and without consent). By turning these tools on health care entities, these entities will have to have much more robust data privacy and data security practices. By motivating third parties to sue doctors and providers, as well as patients’ friends or relatives, Uber drivers, motel operators and the like, we make all of these entities targets for motivated hackers.
When health care becomes a crime, doctors, nurses, orderlies, administrators and everyone associated with health care become targets. It will take a lot of resources for them to be prepared, and currently, they are not.
