EXCLUSIVE: Health Data Breach at America’s Largest Crisis Pregnancy Org
Heartbeat International is sharing women's private health information
Heartbeat International, the country’s largest network of crisis pregnancy centers, claims that client confidentiality is a “core principle” of the organization. But videos obtained by Abortion, Every Day reveal that the anti-abortion powerhouse has been collecting and recklessly sharing women’s private health data with corporate employees, thousands of center trainees and, in one case, anyone with an internet connection.
The shocking privacy breach comes at a moment when Republican lawmakers are funneling hundreds of millions of taxpayer dollars to crisis pregnancy centers (CPCs), claiming that they’ll fill the reproductive and maternal healthcare gap caused by their abortion bans. But the largely unregulated groups aren’t medical organizations looking out for the best interest of the vulnerable women who visit their centers. They’re religious groups whose goal of ending abortion is put above all else, including women’s rights and privacy.
For years, abortion rights advocates and feminists have warned that these centers routinely lie to women about everything from abortion risks to birth control, using scare tactics and shaming to deter them from ending their pregnancies. Now, post-Dobbs, CPCs are the perfect foot-soldiers for the anti-abortion movement’s increased efforts in data collection and attacks on privacy.
One of the videos provided to AED shows a member of Heartbeat’s sales team demonstrating how to use Next Level CMS, the organization’s data collection software. In it, viewers are shown the full names of thirteen women who visited the Unexpected Pregnancy Center in New Iberia, Louisiana, along with information about their due date, last menstrual period, and whether they were given an ultrasound or pregnancy test. In another section of the video, there’s even a map visible that shows where each client lives.
Instructor Khristey Reeves, a “Sales and Customer Service Specialist” for Next Level, is downright casual in the video as she navigates and scrolls through this private data, showing viewers how to click through to information about clients’ marital status and “living arrangement.”
The instructional video is part of “Heartbeat Academy,” an online hub that makes training materials available to affiliate employees and volunteers. That means these women’s names and health information is visible to anyone with access to the Academy website—a number that Heartbeat’s most recent annual report puts at over ten thousand “active participants.”
This video was also publicly available on the internet. Anyone who performed a simple Google search could find a Heartbeat webpage with links to the videos containing women’s private data. And while those links are now password protected, it’s unclear how long their information was exposed.
Heartbeat’s privacy issues go beyond a single data breach involving one center. This training video shows that Heartbeat isn’t encrypting or de-identifying client data, and that they’re allowing non-medical corporate employees like Reeves—not just local affiliate staff—to see people’s confidential health information.
In fact, another video provided to AED indicates that Reeves has access to client data at all Heartbeat CPCs, not just the one in Louisiana. There’s a list of alphabetically-ordered centers in the video, with pagination links to even more—suggesting Reeves can retrieve data from any Heartbeat affiliate using the software. It’s reasonable to assume that other corporate employees and volunteers might have similar privileges.
What makes Heartbeat’s disregard for client confidentiality even worse is that their affiliates appear to regularly mislead women and girls into believing that their health information is protected by law. It is not.
Privacy Promises, HIPAA Lies
HIPAA, the federal law that protects sensitive patient information, doesn’t apply to nearly any crisis pregnancy centers. Because CPCs aren’t real medical clinics, they’re not beholden to the same privacy laws that OBGYNs and reproductive health clinics adhere to. But that hasn’t stopped them from trying to convince women otherwise.
Just last month, the nonprofit watchdog Campaign for Accountability (CfA) asked attorneys generals in multiple states to investigate CPCs affiliated with Heartbeat for violating consumer protection laws. They pointed out that centers in Idaho, Minnesota, New Jersey, Pennsylvania, and Washington were leading women to believe that their personal health information was protected under HIPAA.
In their letter to Idaho Attorney General Raúl Labrador, for example, CfA points to Sage Women’s Center in Twin Falls, detailing how the non-medical group invokes HIPAA multiple times on their website. There’s even a page targeted towards students: “[Y]our visit and information will always be kept private in accordance with HIPPA [sic] laws and regulations.”
CfA executive director Michelle Kuppersmith writes, “Sage likely peppers its website with assurances it follows HIPAA because the acronym has become consumer shorthand for protected or secure personal health information.”
In other words, citing HIPAA is an easy way for CPCs to trick women and girls into believing that their data will be safe. By name-dropping the privacy protection without saying explicitly they’re bound to follow it, CPCs can mislead clients while remaining within the confines of the law. The privacy policy at Choices in Arizona, for example, says that the center adheres to HIPAA’s “Security Standard for appointment scheduling.” (Emphasis mine)
Not all centers look for legal loopholes. Some, like this California center and Amnion Pregnancy Center in Minnesota, explicitly tell clients that they can “file a complaint” if they feel their rights have been violated. The groups even share the address and phone number of the U.S. Department of Health and Human Services Office for Civil Rights and the HIPAA complaint website. But filing a complaint against the centers would be moot, because they’re not beholden to the law.
This dangerous and possibly illegal trickery isn’t just a problem of individual CPCs—the centers are being instructed from the top down. In one video shared with AED, a Heartbeat International instructor shows affiliate staff how to set up their website features, including a default disclaimer and privacy language that centers can customize. The first few lines of the suggested language are visible: “I understand (Center) will hold in strict confidence all the information I provide except as required by law and HIPPA [sic] privacy standards…”
In short, Heartbeat is suggesting via their training videos that affiliates use language about HIPAA, giving women who visit their websites the impression that the centers must legally protect their medical privacy.
Heartbeat’s misleading privacy practices aren’t new, and they haven’t gone unnoticed. In 2022, Senate Democrats, led by Sen. Elizabeth Warren, wrote a letter to the organization expressing concern about their data collection practices.
The letter pointed out that the group “collects a significant amount of [women’s] personal health care information, which in many cases does not appear to be protected by the Health Insurance Portability and Accountability Act (HIPAA).”
In their response to Warren, Heartbeat’s lawyers appeared downright offended at the suggestion that the group mishandled client data. They assured the senator that “confidentiality has been a core principle for life-affirming organizations for decades.” Attorney Jeremy Dys at First Liberty Institute even accused Warren of encouraging attacks at crisis pregnancy centers, writing that her “calculated rhetoric encouraged vandals who have unleashed their criminal activity across the country, including against Heartbeat International affiliates.”
Their letter also claimed that “the tools pregnancy centers use to provide this care are safe and secure, as client safety and confidentiality are of the utmost importance.”
Heartbeat president Jor-El Godsey made similar assurances in 2019, when the UK nonprofit group Privacy International raised the alarm about the organization’s data collection and sharing practices. Godsey promised, “all data of a personal identifying nature…is protected and kept confidential” and that Heartbeat “uses only aggregated and de-identified information to formulate and analyze trends.”
This data breach and the corporate practices seen in Heartbeat’s videos certainly suggest otherwise. From Kuppersmith:
“Based on these videos, we no longer have to wonder whether Heartbeat is willing and able to dip into the most sensitive data that women hand over to its affiliates. Now, it’s up to lawmakers and state AGs to investigate how pervasive this problem may be and whether it violates any laws.”
Collecting Data, Criminalizing Patients
Anti-abortion activists aren’t just treating women’s information carelessly, but strategically. Since Roe was overturned, there’s been a rapidly-growing focus on data collection and attacks on privacy.
In just the last few months, Senate Republicans introduced a bill that would establish a website to collect pregnant women’s personal information; Indiana’s Attorney General has been fighting to make abortion reports public records akin to birth and death certificates; Kansas passed a law requiring doctors to ask abortion patients invasive questions and then report their answers to the state; and in Louisiana, patients who use abortion medication and the doctors who prescribe it are now trackable in a state database.
Abortion advocates rightly worry that this kind of data could be used to criminalize doctors and patients. The women who visit CPCs are particularly vulnerable. After all, if the centers aren’t beholden to HIPAA, they can share client data with law enforcement at will.
In fact, they’ve done it before. San José State University professor Grace Howard wrote last year in Visible magazine about an Alabama crisis pregnancy center that handed over a woman’s records to police, including information about her periods and contraceptive practices.
Despite all of the language about HIPAA and promises of confidentiality, some centers say outright in their privacy policies that they reserve the right to share women’s data if they feel a “morally compelling” reason to do so. It’s safe to assume that stopping abortion falls under that category.
These centers’ loyalties aren’t to the women who walk through their doors, but to the anti-abortion movement.
Republicans’ Bet on CPCs
In the last two years, conservative legislators have launched a massive expansion of crisis pregnancy centers. An analysis of nearly 2,000 centers by Reproductive Health and Freedom Watch found their 2022 revenue was more than $1.4 billion. And anti-abortion states have increased their funding to the groups exponentially, funneling taxpayer dollars to non-medical religious centers under the guise of supporting women and families.
Since Dobbs, Tennessee boosted their support for crisis pregnancy centers from $3 million to $20 million, Florida increased its funding from 4.5 million to $25 million, and Texas went from giving the groups $5 million every two years to a whopping $100 million for 2022 and 2023.
Adding insult to injury, Republicans frame this dramatic increase in support as proof that they care about women’s health—claiming that the groups will fill their states’ reproductive and maternal healthcare gaps. (Again, gaps that their abortion bans caused or exacerbated!)
Iowa Gov. Kim Reynolds described her state’s uptick in funding, for example, as evidence that they’re “supporting healthy families.” Mississippi Gov. Tate Reeves said it’s about the state doing “everything in its power to deliver the support moms and babies deserve.” Republicans won’t even call them ‘crisis pregnancy centers’ anymore, but ‘maternal wellness centers.’
The idea, in part, is to use the centers to address Republicans’ post-Dobbs PR problem. In a moment when new stories emerge daily about women going septic or being forced to carry doomed pregnancies, Republicans hope that emphasizing CPCs will help soften their image and win back voters. And with maternity wards shutting down and OBGYNs fleeing anti-abortion states, conservative lawmakers are betting on CPCs to make it appear as if they’re urgently addressing the care crisis.
But the reality for those living with the consequences of abortion bans is far starker. Communities have been stripped of reproductive health clinics and doctors, with real care replaced by non-medical religious institutions. For some, these centers are the only local place to get a free pregnancy test or ultrasound.
To put it plainly: Conservative lawmakers are forcing people, in their most vulnerable moments, to trust their private information to groups that only feign compassion and confidentiality. It’s too much to ask, and way too little to offer.
If these were liberal programs, they'd be shut down immediately. But because they come from conservatives, how dare we attack them. 'Facts' lol. We can't keep going on with different standards applied to one 'side' from the other. There is no rule of law anymore, only power.
My brother just told me that the presumed Republican nominee for president was just found guilty of 34 felony counts. If we still had rule of law, maybe this would matter, but at this point the toothpaste is well out of the tube. Buckle up :(
Jessica, you worked your tail off on this, and dropped it this afternoon, juuuuust right before another news story broke and everyone got preoccupied. They're more connected than they first appear, since they are both basically examples of Republicans governing via massively corrupt organized crime operations. CPCs need to be vigorously exposed. Republicans must not be allowed anywhere to hide from their campaign to kill, maim, torture, and enslave American women (all of which are readily demonstrable effects of abortion bans).