States Are Fighting Back To Defend Medical Privacy and Safeguard Democracy

The views and opinions expressed in the article are solely those of the author and do not reflect the views or opinions of the Massachusetts Executive Office of Health and Human Services.

“We can have democracy, or we can have a surveillance society, but we cannot have both,” Harvard’s Shoshana Zuboff presciently warned us in 2021. She was referring to the digital monopolies that, over the last two decades in a race of rapacious profiteering, have feasted at an all-you-can-eat buffet of stolen personal data and relentlessly surveilled every aspect of our lives without meaningful consent — obliterating individual privacy and eroding democracy. This phenomenon, which she coined as “surveillance capitalism,” has only intensified since. Fast forward to 2025 and surveillance capitalism, now turbo-charged by artificial intelligence, has melded with authoritarian surveillance, sending democracy to life support and putting fundamental human rights on the chopping block. Now, the Trump administration, aided by Big Tech, is reportedly building a centralized database pooling data from federal and state agencies — potentially enabling the creation of a dossier on each of us to facilitate, among other dehumanizing ends, mass deportations without any meaningful due process.

States Fight Back Against the Weaponization of Health Data

Pushed to the brink, many states are pushing back. Recently, a coalition of 20 states led by California filed suit against the US Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS), seeking to enjoin HHS from further transferring Medicaid data “to DOJ, DHS, ICE, or any other federal agency,” or from using Medicaid data for “immigration enforcement, population surveillance, or other similar purposes.” The states asserted that the Centers for Medicare and Medicaid Services (CMS) — an HHS agency — recently transferred the sensitive health data of millions of Medicaid recipients with DHS and its sub-agency, Immigration and Customs Enforcement (ICE), for deportation purposes, without any notice to state agencies or affected individuals. They argued this move is not only unprecedented, but also unethical and unlawful. The states first learned of the unauthorized transfer of sensitive Medicaid data through an Associated Press report last month.

Seeking “Unfettered Access” to State Data is Unethical and Unlawful

While the mass weaponization of sensitive health data against the states’ most vulnerable individuals is despicable, it is hardly surprising. The Trump administration signaled its desire for state data — which is arguably more granular and sensitive than information held by the federal government — in March of this year, when it issued the executive order titled “Stopping Waste, Fraud and Abuse by Eliminating Information Silos.” This order not only directs federal agencies to “take all necessary steps” to enable access to and sharing of all unclassified information held by federal agencies, but also mandates the federal government’s “unfettered access to comprehensive data from all State programs that receive Federal funding, including, as appropriate, data generated by those programs but maintained in third-party databases.” This sweeping directive runs counter to numerous state and federal privacy laws, and the ethical principles that underpin them. It seeks to commandeer the states and their vendors, compelling them to hand over the personal data entrusted to them by the people they serve, in exchange for federal dollars — appropriations that only Congress has the authority to allocate.

The US Privacy Landscape

While the United States regrettably lacks comprehensive data privacy legislation, privacy is nonetheless considered a fundamental right. Many current federal privacy laws and the underlying principles emerged in the last century in response to growing concerns about the government’s use of computers to process personal data and the resulting impact on individual privacy and other fundamental rights. A committee established by the then Department of Health, Education & Welfare (HEW) — composed of experts and laypersons — created in 1973 a report titled “Records, Computers, and the Rights of Citizens,” now known as the Fair Information Practice Principles (FIPPs), which have shaped privacy legislation at both the federal and state levels. Chief among these principles are affording individuals the right to access their information and control how it is used; mandating agencies to provide notice of the specific purpose for which information is collected and to ensure that information collected for one purpose cannot be used for another incompatible purpose without individual consent; and requiring agencies to use or disseminate only information that is directly relevant and necessary to accomplish a legally authorized purpose. It is evident that an executive order seeking “unfettered access” to personal information under the guise of stopping fraud constitutes an unwarranted fishing expedition and runs counter to these principles and the laws they support. Similarly, sharing unconsented personal data that CMS has collected to administer the Medicaid program with DHS — information that the latter will reportedly use to deport Medicaid recipients — is unethical, antithetical to the mission of CMS, and flouts the FIPPs.

CMS Violated Numerous Laws

Importantly, and as the states articulated in their complaint, CMS’s actions appear to violate numerous federal laws, two of which are worth highlighting.

The first is the Privacy Act of 1974 — the principal legislation governing the handling of personal information by the federal government. Created in the wake of the Watergate scandal, it was a response to government overreach and the fear that, without strong legal safeguards, the government’s ability to collect and misuse personal information could be subverted to undermine individual rights and democracy itself.

The Act prohibits sharing personal information without the individual’s consent, subject to 12 exceptions. CMS could plausibly invoke two, neither of which appear to apply in this case:

Routine Use Exception (5 U.S.C. § 552a(b)(3)): This exemption, which courts have interpreted narrowly, allows agencies to disclose records only for purposes compatible with the original reason for collection. Information about Medicaid recipients is gathered for the administration of the Medicaid program and has little relation — let alone compatibility — with immigration enforcement. Protecting taxpayer funds from the purported threat of “illegal aliens” is neither a compelling nor legitimate reason to secretly share the information of millions of Medicaid enrollees with ICE. Nor is it necessary for the administration of the Medicaid program. Rather, it is vague, overly broad, and capable of swallowing the Act with a single gulp. Additionally, to use this exception, an agency must detail any new or modified routine use in the relevant System of Record Notice, published in the Federal Register before disclosure — a step CMS failed to take.

Law Enforcement Exception (5 U.S.C. § 552a(b)(7)): This allows disclosure for a civil or criminal law enforcement activity only if authorized by law and requested in writing by the head of the agency, specifying the records and purpose. CMS’s disclosure to DHS was not tied to specific investigations but to broad policy objectives, violating both federal law and CMS’s own longstanding policy.

The second law is the Health Insurance Portability and Accountability Act (HIPAA), which governs the use and disclosure of protected health information (PHI) held by covered entities and their contractors. CMS and state Medicaid agencies are covered entities and thus subject to HIPAA. While HIPAA does permit disclosure of PHI for law enforcement purposes, such disclosure must be “specific and limited in scope.” The sweeping transfer of PHI from CMS to DHS was neither specific nor limited, seemingly violating both the letter and spirit of HIPAA.

The implications of this case go far beyond legal violations. As the states warn, the “chilling effect” of weaponizing health data will reverberate across society, resulting in sicker communities, higher uncompensated care costs for states, and the erosion of public health and safety.

Invigorating State Resilience

The states’ decision to sue to protect their residents and the integrity of their healthcare programs is commendable and absolutely necessary. But in this moment of multiple crises, it is not sufficient. The unprecedented assault on human rights, the rule of law, and democracy demands that states act courageously — making deliberate choices that rise to the scale of the threat and building resilience to defend their people.

A democratic government draws its authority and legitimacy from the people and owes them a sacred duty of care. Trust is the oxygen of democracy. The Associated Press revelation has put states on notice: the federal government is acting in bad faith. When it comes to data privacy, state agencies have a fiduciary duty to guard the data entrusted to them and not betray the trust of their residents. They must make transparency a priority — informing people of the stakes, providing notice, and, when appropriate, seeking meaningful consent before sharing sensitive information.

Equally important, states must put privacy at the center, recognizing it as a human right, and enact laws that truly shield individuals from both private sector exploitation and government overreach. Take Massachusetts, for example — a state that prides itself on its progressive tradition and deep democratic roots. Yet it still lacks a comprehensive privacy law, and the law that governs government data is a paper shield with thin protections and no meaningful enforcement.

Beyond data privacy, the duty of care requires states to anticipate risks, build resilience, and assert independence — not just react to attacks but to thrive in adversity. This means raising revenue to independently fund the programs that the federal government is slashing to transfer even more wealth to the ultra-rich. Massachusetts has shown what can be possible: its voter-approved Millionaires Tax — a 4% surtax on annual income over $1 million — has generated more than $2.4 billion a year. Washington State, too, has enacted a 7% capital gains tax on high earners, raising over a billion dollars for public investment.

If democracy is to survive, states must act with vision and courage — investing in the common good, defending fundamental rights, and building economic resilience for all their people. In the face of federal plundering, states must not resort to austerity measures. No one should ever have to choose between civil rights and basic needs like food or access to healthcare. States owe their residents more, and the time for bold, principled leadership is now. As Martin Luther King Jr. reminds us, “The time is always right to do what is right.” Now is the moment for states’ leaders to rise to the challenge, honor the trust of their people, and safeguard the future of American democracy.