As of June 10, 2025, the Mobile County Health Department in Alabama is investigating a potential HIPAA violation involving the unauthorized disclosure of a patient’s protected health information (PHI) during a livestreamed phone call.
What happened
The incident took place when 32-year-old Shantaya Presley impersonated another woman while calling the health department. During the call, Presley provided the real patient's name along with an incorrect date of birth. A health department employee corrected the date of birth and proceeded to disclose sensitive health information without verifying Presley’s identity.
Unbeknownst to the worker, Presley was livestreaming the call on Facebook Live, which led to the public exposure of the patient’s PHI and resulted in that individual being harassed. Presley now faces criminal charges for doxing and identity theft. The Mobile County Health Department acknowledged the incident and located the video online, but has not released further details, including whether disciplinary action has been taken against the employee involved.
What was said
According to a Fox News report of the incident, Mobile County offered the following statement, “Shantaya Presley misrepresented herself to the Mobile County Health Department using a false identity to obtain sensitive information. It was a deceptive act that constitutes a serious breach of trust and will be prosecuted accordingly.”
Why it matters
By allegedly impersonating a patient during a phone call to the Mobile County Health Department, Presley used a false identity to trick a healthcare worker into revealing sensitive medical details. The act may constitute doxing, the malicious release of personal information with the intent or knowledge that it could lead to harassment, and identity theft, since she assumed someone else’s identity to access confidential records.
These actions are criminal offenses under state identity theft laws and potentially federal laws, depending on how the information was used or shared. Although HIPAA itself does not directly apply to private citizens like Presley, her actions triggered a HIPAA violation on the part of the health department, illustrating how third-party behavior can cause regulatory breaches.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Why is failing to have a HIPAA compliant Business Associate Agreement (BAA) a violation?
Any third party that handles protected health information (PHI) must have a HIPAA-compliant BAA with the covered entity. Failure to enter into or maintain an updated BAA exposes organizations to liability because it means the third party is not contractually obligated to protect PHI according to HIPAA standards.
Can third-party employee misconduct trigger HIPAA violations?
Yes. Third-party employees who share or disclose PHI without authorization violate HIPAA.
Why is failing to plan for cyberattacks by third parties a violation risk?
If third parties lack cybersecurity plans or fail to conduct risk assessments, they increase the risk of ransomware or hacking incidents that compromise PHI.
Kirsten Peremore
