As of June 10, 2025, the Mobile County Health Department in Alabama is investigating a potential HIPAA violation involving the unauthorized disclosure of a patient’s protected health information (PHI) during a livestreamed phone call.
The incident took place when 32-year-old Shantaya Presley impersonated another woman while calling the health department. During the call, Presley provided the real patient's name along with an incorrect date of birth. A health department employee corrected the date of birth and proceeded to disclose sensitive health information without verifying Presley’s identity.
Unbeknownst to the worker, Presley was livestreaming the call on Facebook Live, which led to the public exposure of the patient’s PHI and resulted in that individual being harassed. Presley now faces criminal charges for doxing and identity theft. The Mobile County Health Department acknowledged the incident and located the video online, but has not released further details, including whether disciplinary action has been taken against the employee involved.
According to a Fox News report of the incident, Mobile County offered the following statement, “Shantaya Presley misrepresented herself to the Mobile County Health Department using a false identity to obtain sensitive information. It was a deceptive act that constitutes a serious breach of trust and will be prosecuted accordingly.”
By allegedly impersonating a patient during a phone call to the Mobile County Health Department, Presley used a false identity to trick a healthcare worker into revealing sensitive medical details. The act may constitute doxing, the malicious release of personal information with the intent or knowledge that it could lead to harassment, and identity theft, since she assumed someone else’s identity to access confidential records.
These actions are criminal offenses under state identity theft laws and potentially federal laws, depending on how the information was used or shared. Although HIPAA itself does not directly apply to private citizens like Presley, her actions triggered a HIPAA violation on the part of the health department, illustrating how third-party behavior can cause regulatory breaches.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Any third party that handles protected health information (PHI) must have a HIPAA-compliant BAA with the covered entity. Failure to enter into or maintain an updated BAA exposes organizations to liability because it means the third party is not contractually obligated to protect PHI according to HIPAA standards.
Yes. Third-party employees who share or disclose PHI without authorization violate HIPAA.
If third parties lack cybersecurity plans or fail to conduct risk assessments, they increase the risk of ransomware or hacking incidents that compromise PHI.