I’m looking for legal/medical privacy advice. Here’s my situation:
• Late 2023: Contacted a plastic surgeon. Receptionist instructed me to email nude medical photos to the clinic for a quote. Never ended up having the surgery.
• Last month: Received an email from an unknown person saying the clinic had a privacy breach and my photos + personal info were published on a humiliation porn-style site.
• Confirmed: The site contains my intimate photos, full name, emails to the surgeons clinic + SSN — plus similar leaks from other 22 other patients of the same surgeon. Some patients had their intake forms photographed and leaked as well. The porn has “profiles” of us meant to humiliate. The website remains active.
• No notice from clinic: I was never informed of any breach by the clinic itself. They have ignored my direct inquiry.
• Reports filed: HIPPA, email abuse report (offending email deleted).
Question:
Does this meet the standard for a HIPAA/data privacy violation and medical negligence, even though photos were sent by email? Even though I never had the surgery? I believed information as an inquiring patient was meant to be protected. Has anyone pursued legal action in a similar situation? I’m feeling defeated as the lawyers I contacted are not taking the case.
Location: NYC
Comments
NAL- I’m not sure on the HIPAA part but my company suffered a data breach in 2023 and we had either 60 or 90 days, I don’t remember exactly ,to notify customers and employees whose data was involved. If it was just last month, you may not have been notified by the office…yet.