Joshua J. Friedman: READ THE INDICTMENT of Dr. Eithan Haim, who DOJ has charged with four counts of violating HIPAA by leaking stolen patient records from Texas Children's Hospital to Chris Rufo to attack gender-affirming care www.documentcloud.org/documents/24...

DOJ unseals indictment against doctor accused of stealing private health records from Texas Children's Hospital to leak to Chris Rufo to attack gender-affirming care

Doctor accused of illegally obtaining Texas Children's patient informationwww.houstonchronicle.com Dr. Eithan Haim has described himself as a whistleblower who sought to expose the Texas Children's Hospital transgender medicine program.

If you haven't been following this case, I regret to inform you that Haim's cause has been championed by Tucker Carlson, Dan Crenshaw, and Bari Weiss's Free Press (in an article written by Emily Yoffe), and Haim has crowdfunded $620,000 thus far to support his legal defense

Eithan Haim gets a $10,000 appearance bond (still no indictment released—USATX public affairs apologized and said they'll work on getting it for tomorrow) BOND: storage.courtlistener.com/recap/gov.us... CONDITIONS OF RELEASE: storage.courtlistener.com/recap/gov.us...

READ THE INDICTMENT of Dr. Eithan Haim, who DOJ has charged with four counts of violating HIPAA by leaking stolen patient records from Texas Children's Hospital to Chris Rufo to attack gender-affirming care www.documentcloud.org/documents/24...

"In or around May 14 through May 16, 2023, HAIM and Person1 talked on the phone numerous times. On or about May 16, 2023, Person1 published HIPAA protected information obtained by HAIM via X (formerly known as Twitter) and other online media outlets."

"In furtherance of his malicious intent, HAIM obtained unauthorized HIPAA protected information and intentionally contacted a media outlet to grossly mischaracterize TCH’s medical procedures in order to damage the reputation of TCH and its physicians and to promote his own personal agenda."

What an absolute piece of shit.

Can TCH sue him as well?

You would assume his contract with them includes a "you promise not to violate federal law and steal our information" clauses so, probably. When TCH gets sued by the patients, someone's pleading him, I'm sure.

Wait, this seems to indicate that rufo was coordinating, inciting, or leading the theft of medical records

Keyword: “seems”. I don’t know. I may be all wrong.

Does it? I'm not immediately finding the suggestion that Haim and Rufo talked before Haim took the records

The Asst. US Attorney probably needs Haim’s incrimination to get to Rufo. Of course, all this unpleasantness goes away if we get Trump 47.

Under what federal statute would he get Rufo? He isn’t a workforce member under HIPAA.

US code 18 section 2? Federal offense for aiding and abetting a crime?

I don't really see that. The unauthorized access is put on Apr 26, 23 and the calls to Rufo are May 14-16.

They put the access ending on May 14 in the table as well. Much as I detest Rufo, the timeline the govt has committed to in this indictment does not seem to implicate him in a crime.

I don't think the timeline in the indictment makes that clear (possibly intentionally). We get Haim accessing records in April and talking on the phone with Rufo in May before Rufo published on May 16, but there's no indication of how/when they initially got into contact with each other.

No it doesn’t. It just says he gave the materials to Rufo.

So does this mean that Rufo can be hit with terror/RICO violation charges? If so, that would be a wonderful consequence to have befalling him in particular.

Oh PLEASE fucking tell me they fully plan on indicting Rufo, they seemingly conspired together to do this.

@abtnatural.bsky.social

Thanks. So what's the story, did OUSA email this to you? This is pretty weird, after the clerk unsealing most docs without entering any record of having authorization to unseal anything, and now a still-sealed doc is loose. But I guess it's pretty clear that it's all supposed to be public.

Yup! I have to assume it's unsealed but that fact hasn't yet yet made it to the dockets, but who knows

Lock this creep up. If he ever practices medicine, the system is broken.

🌎 🧑‍🚀 🔫 🧑‍🚀 Always has been

What’s the word on aiding and abetting for rufo

"Well-connected," probably..

NYT Opinion columnist

I hope he gets locked up for a very long time. Leaking medical records of children is the lowest form of scum

I’m going to assume that DOJ is indicting competently.

Is the money he raised on the fake MAGA GoFundMe site "proceeds traceable to such violations"? This guy basically traded a medical career for a career as a professionally-aggrieved rightwing nut.

Can Rufo be charged with receiving stolen patient information?

Doesn't this implicate CFAA, too?

I suspect not, because I'm guessing he eventually persuaded someone to grant him access, as opposed to stealing a colleague's login. If true, I don't believe he'd be liable under CFAA.

I know CFAA stuff has been in flux, but I thought unauthorized access to a part of a system could be a violation even where a person has front end authorization to the system itself

Maybe you’re right! I guess it might depend on how their computer system is set up and whether there’s evidence that someone granted him access to a particular subdivision of patient data or whether it was to patient records generally.

Not a lawyer, but the relevant portion of the Justice Manual suggests they wouldn't charge on the theory of exceeding authorization since he was authorized for some patient records and it is unlikely the records were technologically separated based upon the patient. www.justice.gov/jm/jm-9-4800...

9-48.000 - Computer Fraud and Abuse Actwww.justice.gov

Generally, access to the system is general. Everyone is trained annually as to the rules, including the big one: If you do not have a valid reason (providing care to that individual) even just viewing their chart is a violation of the rules. The system tracks every page you enter.

Man the DOJ is trying to ruin Timothy Burke’s life on way way less under CFAA

Isn't this the exact question that van Buren (2021) answered? If your credentials give you access to a file, it's not a CFAA violation, even if you're not supposed to. But did Haim simply have that access, or did he need to fill out (and lie on) forms to access info for specific patients?

My experience with my own healthcare provider is that any time a nurse or physician accesses my file for the first time, they have something to fill out establishing their need. Does obtaining genuine authorization by lying on such a form violate CFAA? No idea. Wonder if there's case law on that.

many electronic record systems designate certain files as requiring justification to open—for instance, anyone’s chart who works for the hospital, notes from therapy sessions, and substance treatment. this case might be a sign that we need to treat charts of trans kids/adolescents similarly

Yeah I couldn't remember if the question had been covered. Your second point is probably the more important one here

And “social engineering” has been a method of hacking since the beginning

Filthy bigots make me sick. I hope this guy faces some real justice here, things like this harm many innocent people and kids and this man (and Rufo) need to face some consequences.

If I remember my HIPAA days: -Haim won't go to jail for HIPAA directly -He'll probably get smacked hard financially -Dunno if he ever got a license, but there's 40+ states out there who are desperate for doctors. He'll find a job somewhere. (cont)

-TCU can't be sued by the offended parties -Only the Feds can hold TCU accountable for HIPAA violations, though state law can be applied. -But the indictment appears to go out of its way to hold TCU harmless But yeah, Haim's not going to jail.

My assumptions in my post were wrong, but I'm not deleting it because I don't want to lose the links provided by the well informed Dr. Williams.

People are sentenced to prison. Given sentencing examples and this case, I would say that it is likely he will do time given: - The number of charts accessed - Conspiracy - Malicious intent People get probation for accessing based on "curiosity," not so much here www.justice.gov/usao-sdia/pr...

Des Moines Man Sentenced to 27 Months in Prison for Criminal HIPAA Violationswww.justice.gov Des Moines, Iowa – A Des Moines man was sentenced today to 27 months in prison following his pleas of guilty to two counts of a federal indictment charging conspiracy to wrongfully obtain and disclose...

Thank you again. I had never heard of people going to jail (obv), an assumption I could have corrected with a simple Google search.

The assumption is fair as most are not sentenced to prison. Most violations are due to not having appropriate systems, not knowing the rules, inadvertently breaking the rules - or just stupidity (having patient files on a thumb drive which goes MIA). Few violations involve actual malicious intent.

Post