In 2023, a medical resident leaked records describing the care of transgender children at Texas Children’s Hospital to conservative activist Chris Rufo. The records, which involved a relatively small number of patients, included the sex, age, and diagnosis of each patient, along with the reason for the visit, the name of the doctor they had seen, and the exact date and time of their appointment. For the most parts, the children’s visits had been related to their treatment with puberty blockers, fully reversible medications which pause puberty for trans children who are considered too young to move on to hormone therapies such as estrogen or testosterone, whose effects can be more difficult to reverse. Almost all of the visits described the purpose as replacing a puberty blocking implant that had previously been implanted in the youth.
As reported extensively by Assigned Media, a right-wing media frenzy followed the release of the records, which were partially redacted to remove the patients’ names. At the time, Rufo attributed the leak to an anonymous source. The man would later come forward to identify himself as Eithan Haim.
Now, a newly released indictment by the U. S. Attorney General for the Southern District of Texas, provides a clearer picture of what authorities have alleged was not only a felony violation of the U. S. medical privacy provisions in HIPAA, but as a malicious invasion of patient privacy with the intent to cause harm.
The indictment claims that, by 2023, when Haim accessed the records he went on to leak, his residency had not included any rotations at Texas Children’s Hospital since 2021. It says Haim falsely represented himself as needing access to TCH’s electronic record keeping system as part of care for adult patients, but in reality no such adult patients existed. Once he’d been granted access through this ruse, the indictment alleges Haim accessed the records of patients who weren’t under his care, records he had no authorization to view. Instead, he shared the records to “Person 1” (who can be interpreted to be Chris Rufo), and that Person 1 proceeded to publish HIPAA-protected information on Twitter and other media outlets.
The indictment also describes HIPAA training Haim received as a student at Baylor College of Medicine, which included information about how to properly report (or “blow the whistle”) if a resident had any concerns about medical issues or child abuse. Leaking information to the press is not considered an acceptable method of raising concerns about medical issues under HIPAA, and a person who does so would not be protected by whistleblower protections.
Haim’s stated reasons for the leak are also briefly touched on in the document. It explains that, while the Texas attorney general had issued guidance claiming that gender-affirming healthcare was illegal under existing Texas law, that an AG does not have the power to reinterpret existing law and make previously legal behavior illegal through the stroke of a pen. It’s somewhat unclear if Haim has ever publicly claimed to have exposed illegal behavior, as the focus of the stories about his leaks dealt with the fact that TCH had announced they were ending their program to treat transgender youth but a few youth had continued to be seen by doctors as evidenced by the leaks.
For more information on what HIPAA has to say about personally identifiable health information, our story last week that broke the news of Haim’s indictment has more.
Evan Urquhart is the founder of Assigned Media and an incoming member of the 2024-2025 Knight Science Journalism fellowship class at MIT.
Please provide the citation proving the claim that Dr Haim is “anti-trans”
Go listen to what he has said. He doesn’t believe gender dysphoria patients should receive the standard of care.
Haim wasn’t working at TCH and continues to misrepresent himself as a surgeon who worked there. He is a liar. He stole medical records of children. Whistleblowing doesn’t including sending PHI to right wing activists. Enjoy jail!
It was interesting to see from the indictment that federal prosecutors were not focusing on whether all PHI in the medical records had been removed through proper "de-identification". I believe that was incomplete and that the very limited number of juvenile trans patients in that area meant protecting their privacy was problematic. HIPAA, itself, notes that special care must be taken when outside information can be pieced together with medical records to compromise privacy. This is why there are special rules regarding patients 89 and older. It is easier to identify, with limited data, individuals from small groups.
Instead, prosecutors focused on the access of the records by Dr. Haim. Clearly, he exceeded authorization to gain access to records of patients not in his care. As you noted, Dr. Haim did not go through the proper channels which he had received training in regarding reporting of misconduct or child abuse. The training about reporting child abuse was separate from the HIPAA training though. Dr. Haim, as is any doctor or nurse, a mandatory reporter for child abuse under state laws. If Dr. Haim’s main defense is whistleblowing then he is in trouble.
Also interesting, is the fact that prosecutors, via the grand jury, could have charged Dr. Haim with violations of the Computer Fraud and Abuse Act (CFAA). It has been used in the past to prosecute people who exceeded their authority in accessing a protected computer (basically, any government or business computer). That is also a serious felony with potential multi-year prison terms. If the DOJ is so biased why didn’t they bring CFAA charges as well?