Celebrities, athletes, and government officials continue to be more accessible to us. Advancements in technology and social media make this possible.

But there is a fine line between finding out that a celebrity checked into a hospital and digging through their medical records.

Since HIPAA’s enactment in 1996, we’ve witnessed almost 20 reported cases of unauthorized personnel looking up the medical records of celebrities. This usually happens when a celebrity checks into the hospital, but that’s not always the case.

We’ve aggregated the ultimate list of reported celebrity HIPAA violations. The goal of this post is to help you prepare your staff just in case a celebrity checks into your healthcare facility.

Below is a navigation list to quickly view each reported infraction, when it occurred, and their consequences…

1. Injustice Continues for George Floyd

2. Media Mix-up for Ezekiel Elliott

3. Sickening Story of Scott Disick

4. Before The Bubble for Christian Wood

5. Jeffery Epstein Scandal Leads to Suspicious Prediction

6. Jussie Smollett's Fake Crime Leads to Real Crime

7. Ed Sheeran's Accident Leads to Snooping

8. Save My Life: Boston Trauma Reality TV Gets Into Real Trouble

9. 13 Years Worth of NFL Players Leak after Combine

10. A Violation Formerly Known as Prince

11. NY Med Show Goes Too Far

12. A New York Football HIPAA Violation on Jason Pierre-Paul

13. Lamar Odom Falls Victim to Selfish Selfies in Sin City

14. Dr. Rick Sacra's Ebola Scare Leads to a Breach

15. Illegally Keeping Up With Kim Kardashian

16. Gabrielle Giffords Loses Privacy After Mass Shooting

17. UCLA Health Systems Hired Too Many Fans

18. Michael Jackson's Death Thrills Hospital Workers

19. Anne Pressly Can't Rest In Peace

20. Nadya "OctoMom" Suleman's Claim to Fame

21. Richard Collier's Late Night Scuffle

22. Britney Spears Part 1

23. George Clooney's Accident

24. Farrah Fawcett's Sting Operation

25. It All Started with Drew Barrymore, Arnold Schwarzenegger, Tom Hanks and Leonardo Dicaprio

September 2020

In late May of 2020, a video released featuring footage of a caucasian police officer kneeling on the neck of George Floyd, an African American man.

The released footage led to public outcry and protests nationwide throughout the majority of the summer. The complexities surrounding this incident extend beyond this blog post. What I will go over, though, is what happened to Mr. Floyd when he arrived at the hospital.

Four months after Floyd’s death, many publications reported that “several” employees of the hospital that the ambulance rushed him to snooped into his medical records.

The unauthorized access happened multiple times by staff members at Hennepin County Medical Center in Minneapolis. They, of course, had no legitimate reason to do so.

This is still a developing case. As of writing, Floyd’s estate has yet to determine whether to take legal action. However, Hennepin Healthcare did confirm that the culprits of the incident were no longer with the healthcare center.

June 2020

While the NFL prepared for their upcoming season during the COVID-19 pandemic. Reporters satisfied their journalistic hunger by keeping fans updated on players coming down with the illness. 

On June 15, 2020, well-known NFL Network reporter Ian Rapoport tweeted that several Dallas Cowboys and Houston Texans players confirmed positive tests.

Rapoport immediately received backlash from players from both teams. One of which was Cowboys running back Ezekiel “Zeke” Elliott.

However, Rapoport confirmed his diagnosis through his agent, Rocky Arceneaux. Zeke maintained that his agent only confirmed the diagnosis with the media but the story was already written prior to his consent.

At the time or writing, Zeke has yet to take any sort of legal action against Ian Rapoport and it’s unclear if he ever will. If he does, he won’t have a winning case according to the former team doctor for the Los Angeles Chargers, David Chao.

May 2020

Sometimes reality TV becomes too real. Way back in 2013 Keeping Up with The Kardashians star Scott Disick’s mother died suddenly. Just 3 months after her death, his father passed away tragically.

Viewers of the show will tell you that Scott’s demeanor changed since then.

On May 4, 2020, The Daily Mail broke the news that Disick checked himself into All Points North (APN) Lodge in Edwards, Colorado. The article also included an image of Disick at the rehabilitation facility.

As a result, he immediately checked out and his team of lawyers announced that they plan to take immediate legal action against APN.

APN has yet to determine the source of the information, but also made it public that they plan to take legal action against the individual involved.

March 2020

The entire United States seemed to be holding its breath in early March as everyone awaited an imminent national shutdown. Everything seemed to happen all at once, especially within the sports world.

The NBA canceled their season on March 11, 2020, after Utah Jazz center, Rudy Gobert, tested positive for COVID-19. This cancellation ultimately led other professional and collegiate sports organizations to follow suit.

The news also forced five NBA teams to self-quarantine their players; Cleveland Cavaliers, New York Knicks, Boston Celtics, Detroit Pistons and Toronto Raptors.

Three days after the postponement announcement, The Athletic reporter, Shams Charania, reported that Detriot Pistons big man, Christan Wood, also tested positive for the illness.

Wood happened to be the player who guarded Gobert the game before the shutdown.

The Detriot Pistons team said that they were “mystified” when the report came out because Wood never authorized anyone to release his diagnosis. Wood later exclaimed that he didn’t even get the chance to tell his mother about the diagnosis prior to its release.

As of right now, Wood hasn’t taken any legal action for the leak about his positive coronavirus test.

August 2019

Huge headlines dropped throughout the summer of 2019 involving the financial manager and convicted pedophile Jeffrey Epstein. The story of Epstein was nothing short of disturbing.

Back in 2007, Epstein faced a 13-month jail sentence for sexual abuse involving underaged girls. During the trial, he struck a deal with Alexander Acosta that shortened his sentence to a mere 13 months.

Fast forward to July of 2019. His arrest happened in New Jersey where he faced sex trafficking charges. As the story developed, more allegations found their way into the spotlight. Epstein had a powerful ring of “friends” including the current President of the United States. 

I’m not going to get into too much depth on the gruesome testimonials involving Mr. Epstein as they fall beyond the scope of this blog piece.

The police came to Epstein on July 6, 2019, and arrested him on sex trafficking charges. He was only in jail for a little longer than a month before his alleged suicide on August 10.

ABC confirmed his death with a tweet posted at 8:54 am. However, 38 minutes prior to the announcement, an anonymous user confirmed his death on 4Chan.

At first, the post seemed coincidental. However, the user also posted detailed information regarding the medical procedures performed on Mr. Epstein in an attempt to resuscitate him. It was so detailed that Buzzfeed News suspected the user as a first responder.

Their allegations led to a review of the New York City Fire Department by their Office of Healthcare Compliance. The review couldn’t verify the accuracy of the information posted on 4Chan.

March 2019

This is the latest recorded celebrity HIPAA violation as of June 2019.

During the majority of the first quarter of 2019, the media was covering what was initially thought of as a hate crime on “Empire” actor Jussie Smollett.

Smollett went to Northwestern Memorial Hospital in Chicago for treatment of bruises and facial lacerations.

When Smollett first reported the attack on January 30th, it drew public outrage.

While receiving treatment, at least 50 employees at the Chicago hospital improperly reviewed Smollett’s medical records. Some employees attested that they didn’t look into his records and only searched his name within the system.

The employees who viewed his medical report without proper access were immediately fired.

May 2018

While radio stations played his hit “Shape of You” during October of 2017 Ed Sheeran got into what he described as “a bit of a bicycle accident.”

The accident broke his right wrist and left elbow, which required him to seek medical attention at Ipswich Hospital in Suffolk, England.

While his visit he signed autographs and took pictures with fans. It turns out that he also had his medical information accessed without authorization.

This led to the hospital firing on one staff member in the administration department and another receiving a written warning.

Although this violation falls outside of the jurisdiction of HIPAA since it’s overseas, it’s important to understand that other countries have similar privacy and security laws to protect their patients.

September 2018

In September of 2018 three separate hospitals in the Boston area faced fines from the Department of Health and Human Services (HHS) totaling almost $1 million in fines. The breaches actually occurred three years prior to the settlement.

Throughout the early months of 2015, ABC studios began filming for a documentary series entitled Save My Life: Boston Trauma slated to release in July. The show’s premise was to give a raw and authentic view into what goes on within the emergency rooms of some of the most prestigious hospitals in Boston.

However, the HHS determined that the show filmed patients without their expressed consent. The three hospitals involved received different fines…

• Massachusetts General Hospital - $515,000

• Brigham and Women's Hospital - $384,000

• Boston Medical Center - $100,00

Each organization also had to train staff as a part of the “corrective action plan.” This was the second time ABC played a role in a HIPAA violation case.

April 2016

In July of 2016, MedCityNews reported that thousands of NFL players’ healthcare records dating back 13 years leaked in April of the same year.

Someone stole a laptop from inside the car of a Washington Redskins trainer. The laptop also contained sensitive information from all players at the 2016 Scouting Combine. Some notable attendees included…

• Jared Goff, QB

• Carson Wentz, QB

• Joey Bosa, DE

• Ezekiel Elliott, RB

• Jalen Ramsey, CD

• Derrick Henry, RB

• Michael Thomas, WR

The NFL worked with the Department of Health and Human Services (HHS) throughout this breach. The HHS didn’t prosecute the NFL as a HIPAA Covered entity and notified those affected by this event

April 2016

In 2016 we witnessed many notable celebrity deaths, one of whom was Prince.

Six days before his death, TMZ reported that doctors gave him a treatment that was “typically administered to counteract the effects of an opiate.”

As it turns out, the story they reported isn't a HIPAA violation. Although many people still question the integrity of the information that TMZ received.

If staff disclosed the information about the potential drug overdose, that would've been a breach of Prince’s rights under the HIPAA Privacy Rule.

But, as it stands, TMZ and other news media outlets that reported his alleged treatment, won’t face a violation.

April 2016

In 2011 ABC began filming for its third medical documentary series entitled NY Med. The show was a follow-up series to ABC’s Hopkins and Boston Med where crews followed the daily life of skilled surgeons and their impact on their patient’s lives.

But in January 2013, the HHS received a complaint that the show had received PHI  impermissibly from the hospital where filming took place. Four months later and the HHS notified New York and Presbyterian Hospital (NYP) of the start of their investigation.

By April of 2016, the HHS fined NYP $2.2 million for filming two patients without their consent. The first patient was dying while the second was under severe distress. Furthermore, crews continued filming even when asked to stop by a medical professional while everything took place.

This settlement had a huge impact on medical documentary series and how they’re recorded. Some even believed it would mean the end of real-life healthcare shows. That ended up not being the case.

February 2016

On July 4, 2015, former New York Giants defensive end Jason Pierre-Paul suffered a devastating hand injury. He experienced the injury during a fireworks accident. He was then sent to and treated at Jackson Memorial Hospital in Miami, Florida.

Due to the injury, the hospital's medical staff amputated the middle finger on his right hand.

ESPN reporter, Adam Schefter, immediately posted details of the incident on Twitter. Schefter's tweet included a picture of Pierre-Paul’s medical records. Schefter received the leaked image of Pierre-Paul's records from two hospital employees.

Before the accident, Pierre-Paul was negotiating a $60 million contract with the Giants. This injury put that contract at risk.

This HIPAA violation resulted in two lawsuits. The first lawsuit was to ESPN. The second was to Jackson Memorial Hospital. Also, the hospital fired the two employees who released Pierre-Paul’s PHI.

The lawsuit against ESPN settled in 2017…

ESPN continues to firmly believe that it’s reporting about Mr. Pierre-Paul’s July 2015 injury, including the use of a medical chart that definitively described the seriousness of the injury and resulting treatment, was both newsworthy and journalistically appropriate,” the network stated. “Despite their different points of view, the parties have agreed to amicably resolve their dispute rather than continue their litigation

October 2015

Back in October of 2015 paramedics rushed the Los Angeles Lakers basketball star Lamar Odom to Sunrise Hospital in Las Vegas after finding him unconscious.

This happened just after filing for divorce with Khole Kardashian. Medical professionals found out that substance abuse was what caused the athlete’s health problems.

While he was at the hospital, an undisclosed amount of employees attempted to take pictures of and access Mr. Odom’s medical files.

The hospital quickly fired the individuals involved in the incident. Odom was then transferred to Cedars-Sinai where he was under 24/7 surveillance.

September 2014

At the peak of the Ebola scare in 2014, Nebraska Medical Center in Ohama admitted Dr. Richard Sacra. He was the third American medical missionary to return to the U.S. needing treatment for the Ebola virus.

He received treatment in the hospital’s biocontainment unit for 20 days. Meanwhile, two hospital employees inappropriately accessed his electronic medical record (EMR).

The hospital fired both unauthorized employees.

July 2013

On June 15, 2013, Kim Kardashian gave birth to her and Kanye West’s daughter, North West. A week later the family checked out of the hospital.

On July 12, 2013, The LA Times reported that Cedars-Sinai Medical Center fired six employees. Cedars-Sinai Medical Center was where North West was born.

Five staff members accessed a single patient record while one other looked at 14 records. Kim-ye refused to respond to the blatant breach in privacy.

This event led to staff members losing their jobs and a permanent ban from accessing any Cedars-Senai Medical Center records.

January 2011

On January 8, 2011, the U.S. news reported that shots rang out and struck nineteen people during a constituent meeting held in a supermarket parking lot in Casas Adobes, Arizona.

Tucson's University Medical Center admitted all injured from the event. The majority were in critical condition. United States Representative Gabrielle Giffords was among the injured.

While these patients received treatment, three employees accessed confidential medical records without authorization.

University Medical Center terminated all three employees including a contracted nurse. The number of patients affected by the breach wasn’t reported but the hospital notified all families involved.

July 2011

UCLA Health Systems was a frequent culprit of celebrity HIPAA violations. In 2011, UCLA had to pay an $865,000 fine for allowing unauthorized access to the medical records of three celebrity patients by non-authorized personnel. Affected celebrities included Britney Spears, Maria Shriver, and Farrah Fawcett.

The breaches occurred between 2005 and 2009.

All UCLA hospitals in question failed to put in place efficient controls after the HIPAA infractions occurred.

The settlement was the result of many failures to remedy privacy and security deficiencies.

June 2010

On June 25, 2009, Michael Jackson passed away due to acute propofol and benzodiazepine intoxication at his home in Los Angeles.

The LA Times reported that Ronald Reagon UCLA Medical Center personnel inappropriately accessed MJ’s medical records.

The snooping occurred five days after his death on June 30th. At least half a dozen unauthorized staff members accessed Jackson’s death certificate.

Within two weeks of his death, his death certificate recorded received more than 300 views. The hospital faced $95,000 in fines for privacy violations. They also fired two hospital workers and two contract employees.

October 2009

On October 20, 2008, popular Little Rock, Arkansas news anchor, Anne Pressly, was brutally attacked during a robbery at her home. St. Vincent Infirmary Medical Center admitted her, but she died five days later.

During her stay, three employees accessed her electronic files to determine her condition. They later admitted that they knew they were breaking the law.

Each employee faced different penalties…

• $2,500 fine with a one-year probation sentencing

• $1,500 fine with a one-year probation sentencing

• $5,000 fine plus 50 hours of community service to educate others on the importance of HIPAA

May 2009

On May 15, 2009, HealthLeaders reported that Kaiser Permanente Bellflower Hospital in Los Angeles received a $250,000 HIPAA fine. The fine occurred due to 23 employees breaching the privacy of a patient who gave birth to octuplets.

This was the first fine of its kind under a new California state patient privacy law that went into effect on January 1st, 2009.

Kaiser terminated one employee, 14 resigned, and another eight received disciplinary action.

Many still attribute Nadya “Octomom” Suleman's claim to fame to this massive privacy breach.

November 2008

On Tuesday, September 2, 2008, former Jacksonville Jaguar, Richard Collier, got shot and critically wounded outside an apartment complex at around 2:45 am.

The shooter was later identified as Tyrone Hartsfield whose motive was revenge. The April before the attack, Hartsfield fought Collier in a night club.

Collier received treatment at Shands-Jacksonville Medical Center. After his discharge, the hospital fired 20 hospital employees for violating Collier’s medical privacy. Those employees accessed Collier’s file through a computer.

Many argue that some of the employees had legitimate reasons to access Collier’s record and that Sands was too harsh.

March 2008

In January 2008, Britney Spears checked into a psychiatric ward after refusing to take prescribed medication and acting erratically. Spears went to the previously mentioned UCLA Medical Center in Los Angeles.

Three months after the event, UCLA Medical Center fired at least 13 employees and suspended six others. They faced accusations for snooping into Britney Spears’ medical records.

This wasn’t the first time Britney Spears was a victim of a HIPAA violation. In September 2005, several employees inappropriately viewed her records at Santa Monica-UCLA Medical Center and Orthopaedic Hospital.

October 2007

After a motorcycle accident, George Clooney and then-girlfriend, Sarah Larson, checked into Palisades Medical Center in North Bergen, New Jersey.

Clooney suffered a broken rib and skin abrasions while Larson broke her foot. One month later, the hospital suspended 27 employees for accessing their personal medical information.

The employees got suspended for one month without pay.

Clooney responded to the reparations, “This is the first I've heard of it. And while I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers.”

May 2007

Farrah Fawcett battled cancer for many years up until her tragic death in 2009.

While seeking treatment at the UCLA Medical Center, tabloids also released news about her admission.

Fawcett noticed this and in May 2007 she set up a sting operation. She withheld her news from her friends and relatives of her rediagnosis to see if it leaked into the media. Within days the story she withheld was in the National Enquirer.

The employee who leaked the information was later identified as Lawanda Jackson. Jackson received at least $4,600 from the publication through checks made out to her husband.

Jackson faced up to 10 years in prison but died from complications with breast cancer before sentencing.

October 2003

On October 29, 2003, Dr. Huping Zhou received discharge notice from the UCLA Health System. His dismissal was due to performance-related reasons.

Disgruntled, over the next three weeks Zhou abused his access to the hospital’s electronic health record system. He began viewing medical records of celebrities and high-profile patients including...

• Drew Barrymore

• Arnold Schwarzenegger

• Tom Hanks

• Leonardo DiCaprio.

Zhou accessed UCLA’s record system 323 times throughout a three week period. He later admitted to obtaining patient health information on four occasions after termination.

Zhou received a four-month sentence and $2,000 fine on April 27, 2003. The verdict was, “four misdemeanor counts of accessing and reading medical records of his supervisors and high-profile celebrities.”

It seems like whenever a celebrity requires medical attention, it leads to unauthorized viewing of medical records. If you notice, many of these also happen as the result of a post on social media.

Celebrities still have the same medical rights under HIPAA as the general public.

If a celebrity is ever admitted to your hospital or practice, you and your staff must understand the privacy rights of your patients, regardless of how society ranks them.