Crisis pregnancy centers promise confidentiality, leaving women seeking reproductive healthcare to trust that the information they provide is legally protected. It is not.
This summer, the antiabortion movement is mounting an offensive against bipartisan bills to establish federal data privacy protections for Americans and long-overdue online protections for children. Why? Anti-abortion leaders claim these laws would shut down “pro-life” organizations—including thousands of their unregulated pregnancy clinics—by legally compelling them to comply with consumer and medical privacy standards.
Unregulated pregnancy clinics (UPCs), also known as crisis pregnancy centers, or CPCs, are largely religious nonprofits that oppose abortion and contraception, and function as the mass, retail facing backbone of the anti-choice movement. The unregulated pregnancy clinic industry is mostly led by three antiabortion advocacy organizations: Care Net, Heartbeat International and National Institute of Family and Life Advocates (NIFLA), which provide the sophisticated digital infrastructure UPCs across the country are using to collect and retain personal and health information from pregnant people—with no privacy protections.
Privacy and Unregulated Pregnancy Clinics
UPCs intercept women and teens seeking reproductive healthcare using deceptive advertising; disinformation about abortion, contraception and pregnancy; and claims of free medical services like pregnancy tests, ultrasounds and counseling. But UPCs are not regulated medical businesses. Unlike the medical community, which is highly regulated and governed by strict professional and legal obligations to protect patient privacy, crisis pregnancy centers have no such obligation.
Yet, the vast majority of the estimated 2,500 to 4,000 UPCs around the U.S. promise confidentiality. Hundreds claim to be governed by HIPAA, the federal law that governs patient privacy, and many UPCs affiliated with Care Net and Heartbeat International post privacy policies that refer clients with grievances to the Department of Health and Human Services (HHS) HIPAA office.
An HHS spokesperson recently told NBC News, “A crisis pregnancy center that provides services for free and does not bill health insurance does not meet the definition of a covered entity under HIPAA and therefore the HIPAA Privacy, Security, and Breach Notification Rules (‘HIPAA Rules’) do not apply.”
UPC industry leaders appear to agree.
According to Care Net, “Most centers do not meet the legal definition of a covered entity under the HIPAA regulation because they do not furnish, bill, or are paid for health care in the normal course of business and do not transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by HHS.”
Unregulated pregnancy clinics nationwide are deceiving pregnant women and teens into providing sensitive health information … but operate under no legal requirement to protect client confidentiality and no regulatory authority that would govern their handling of client data.
Yet many unregulated pregnancy clinics claim or imply HIPAA compliance, and UPCs that do not directly invoke HIPAA or HHS have websites that create the appearance that they are medical facilities, using clinical language and images of people in medical attire, as well as promises of confidentiality, leaving women seeking reproductive healthcare to trust that information they are asked to provide is legally protected. It is not.
Unregulated pregnancy clinics nationwide are deceiving pregnant women and teens into providing sensitive health information—date of last menstrual period, use of birth control, pregnancy history and outcomes, drug and alcohol use and interest in abortion—but operate under no legal requirement to protect client confidentiality and no regulatory authority that would govern their handling of client data. This means UPCs are essentially free to share the sensitive information they are collecting from pregnant people as they wish—information that could be weaponized in pregnancy- or abortion-related investigations post-Roe.
Anti-choice Movement Mobilizes to Block Data Privacy Standards
This summer, federal lawmakers have been advancing the American Privacy Rights Act (APRA), a bipartisan proposal to establish first-time national standards for consumer data privacy, including children. In advance of a June markup of the bill in the House Energy and Commerce Committee, the House Freedom Caucus circulated a memo claiming APRA would threaten “pro-life” organizations in possession of client health information, and that mandating compliance with data privacy standards would expose unregulated pregnancy clinics to “service-ending legal fees” that could shut them down.
The conservative political advocacy group, Catholic Vote, also sent a letter opposing APRA to members of Congress, claiming the law “could threaten the effectiveness and daily functions of life-affirming pregnancy resource centers.” Reports emerged that “if pro-life groups come out forcefully against the bill, it will not be able to move forward.”
On June 27 at 10 a.m., the House Committee was scheduled to markup the APRA bill. Five minutes later, as privacy lawyers around the country tuned in to the hearing, the markup was “canceled.”
In July, the anti-choice movement further mobilized to oppose the bipartisan Kids Online Safety Act (KOSA), which NBC News heralded as one of “the most significant child online safety bills in decades.” KOSA would require social media companies to better protect users under age 17, provide guardians more control over minors’ use of online platforms and require dedicated pages for reporting harmful content.
An anti-choice movement document opposing the bill (“KOSA is a huge threat to pro-life groups”) echoed movement arguments against APRA, including that KOSA “could be used to demand that pro-life groups delete or refrain from using personal information of women who have sought their assistance.”
On July 30, the U.S. Senate overwhelmingly passed KOSA by a vote of 91-3. KOSA will now go to the U.S. House, where it is expected to face anti-choice opposition. Speaker Mike Johnson (R-La.) has not yet scheduled a vote.
How Fake Abortion Clinics Maintain Secrecy
An in-depth investigation by Privacy International found that the global organization Heartbeat International (HBI), with the largest network of UPC affiliates in the U.S., is leading the antiabortion movement’s effort to collect information from pregnant people and create “digital dossiers” on UPC clients. Privacy experts call the information HBI collects through its UPC client data platform, online appointment portals, and centralized hotlines, chat services and websites, a “data honey pot” for prosecutors in states where abortion is illegal.
HBI president Jor-El Godsey told NBC News, “Pregnancy help organizations comply with all applicable laws, including state-level data privacy laws and applicable HIPAA provisions … which includes safeguarding her private information and honoring her trust—hence the ethical duty to maintain confidentiality.”
But Heartbeat and its allies in the UPC industry repeatedly resist efforts to understand how they protect and use client data, partnering with conservative legal powerhouses including Alliance Defending Freedom, First Liberty Institute and Thomas More Society to fight any accountability.
For example, amidst growing concerns about abortion surveillance in the wake of the Dobbs ruling, Sen. Elizabeth Warren (D-Mass.) and a group of U.S. Senate colleagues sought information from Godsey about Heartbeat’s data collection and storage practices, including via the “Next Level” client data platform, which is used by UPCs across the country. The senators asked HBI about what personal health information (PHI) it collects through its UPC affiliates, if any of that data is subject to HIPAA, if HBI shares or sells client PHI, and if data collected using HBI platforms has ever been requested by law enforcement. In response, HBI engaged First Liberty Institute, which represents antiabortion and anti-LGBTQ rights activists around the country, to refuse to provide this information and challenge the Senators’ authority to even request it.
In another example, Alliance Defending Freedom (ADF)—the Christian legal organization that spearheaded the strategy to overturn Roe v. Wade—is suing to block a New Jersey Attorney General investigation into UPC handling of patient data and promotion of “Abortion Pill Reversal” (APR).
UPC industry is using legal tactics to maintain secrecy:
- ADF sued the Washington attorney general for investigating claims of deceptive UPC trade practices, and the state of Vermont to block a UPC accountability law passed last year.
- Becket Fund represented a New York UPC to stop the state health department from requiring it participate in a UPC impact study.
- Becket Fund represented a Colorado UPC to challenge a law prohibiting APR.
- Thomas More Society is representing HBI in legal action against the California attorney general for investigating deceptive practices associated with APR.
UPC Industry Privacy Practices Under New Scrutiny
Fears about deceptive, ungoverned and secretive data practices by the UPC industry are not theoretical.
On May 30, 2024, journalist Jessica Valenti published a blockbuster report of a massive client data breach by Heartbeat International. Valenti found that HBI has exposed the personal and health information of pregnant women who visited UPCs in Louisiana in videos that anyone online could access. HBI staff conducting online trainings on the Next Level client management software exposed UPC clients’ personal information including marital status, “living situation,” and a map showing where they live, and private health information, including date of last menstrual period, due date, pregnancy test and ultrasound results. While HBI has now made training videos password protected, it is unknown how long this private client information was publicly available online.
After viewing the videos, Valenti concluded, “the antiabortion powerhouse has been collecting and recklessly sharing women’s private health data with corporate employees, thousands of center trainees and, in one case, anyone with an internet connection.” She also noted the videos showed that “Heartbeat isn’t encrypting or de-identifying client data…that they’re allowing non-medical corporate employees—not just local affiliate staff—to see people’s confidential health information” and that “corporate employees had access to client data at all Heartbeat CPCs, not just…in Louisiana.”
The antiabortion powerhouse has been collecting and recklessly sharing women’s private health data with corporate employees, thousands of center trainees and, in one case, anyone with an internet connection.
Jessica Valenti
This HBI data breach comes in the wake of evidence that UPC client data has already been weaponized. In her book, The Pregnancy Police, Professor Grace E. Howard documents a 2017 case in which an Alabama UPC provided client records that supported prosecution of a woman who tested positive for drugs after giving birth. Law enforcement used the private health data the woman provided the Birmingham-based Sav-A-Life Pregnancy Center where she accessed a free ultrasound—her contraceptive practices, her menstrual cycle regularity, and the date of her last menstrual period—to argue that she was aware of her pregnancy when she used drugs, and charge her with criminal chemical endangerment.
UPC advertising especially targets women at greatest risk for such pregnancy-related prosecutions: low-income women, young women, and women of color. Moreover, in a world where sophisticated cyber criminals routinely hack data caches to perpetrate financial fraud, identity theft, and cyber harassment, deceptive data collection by unregulated pregnancy clinics threatens consumer privacy and safety on multiple fronts.
Advocates and Voters Want UPCs to Be Accountable for Protecting Data Privacy
The deceptive data practices of anti-abortion pregnancy clinics are a profound concern in the post-Roe legal reality, as women seeking abortion are targets of extremist groups, lawmakers, and legal officers seeking to punish them, their medical providers, and their support networks. States banning abortion are aggressively seeking to prosecute people traveling for care, and some UPC websites now seek to intercept women traveling for care. Overzealous prosecutors wanting to punish women they suspect of ending a pregnancy will use whatever information they can get to justify a prosecution, and 19 state attorneys general have claimed the right to access medical records of any resident traveling out-of-state for abortion.
In response, the watchdog group Campaign for Accountability (CfA) has filed consumer complaints calling on attorneys general in Idaho, Minnesota, New Jersey, Pennsylvania and Washington to investigate the deceptive and dangerous privacy practices of UPCs affiliated with Heartbeat International and Care Net, and take decisive action to protect the privacy and safety of pregnant people interacting with UPCs in their states.
In a statement announcing the complaints, CfA executive director Michelle Kuppersmith said, “Tricking consumers into believing their sensitive health information will be kept confidential by claiming it is HIPAA covered when it is not, isn’t just despicable, it’s deceptive and likely violates state consumer protection laws prohibiting deceptive marketing. Attorneys general should not hesitate to take on those who prey on women with disingenuous claims of confidentiality.”
Americans across the political spectrum agree. Recent polling shows that 75 percent of voters are concerned about unregulated pregnancy center privacy practices, and 71 percent want UPCs to be regulated. Moreover, 55 percent of voters say they would be more favorable to an elected official who takes action against UPCs, including 48 percent of swing voters—those who decide elections. Notably, voters also feel strongly (96 percent agree) that “any organization that receives tax dollars must be able to account for how it spends them.”
Since the fall of Roe v. Wade, funding for UPCs has skyrocketed from both taxpayer and private sources. Yet there is little oversight, fiscal accountability or impact analysis of this billion-dollar industry, and no oversight of its data privacy practices. As the anti-choice movement works to block federal data privacy protections out of concern that mandating compliance would expose UPCs to litigation that could shut them down, Americans must ask: what do anti-choice leaders know about the data practices of antiabortion pregnancy clinics that would cause such a concern?
According to CfA’s Kuppersmith, “No one should have to worry about their personal health information falling into the hands of anyone who might seek to use that information against them. Consumers have the right to know exactly how their sensitive data will be used before they share it.”
Up next:
U.S. democracy is at a dangerous inflection point—from the demise of abortion rights, to a lack of pay equity and parental leave, to skyrocketing maternal mortality, and attacks on trans health. Left unchecked, these crises will lead to wider gaps in political participation and representation. For 50 years, Ms. has been forging feminist journalism—reporting, rebelling and truth-telling from the front-lines, championing the Equal Rights Amendment, and centering the stories of those most impacted. With all that’s at stake for equality, we are redoubling our commitment for the next 50 years. In turn, we need your help, Support Ms. today with a donation—any amount that is meaningful to you. For as little as $5 each month, you’ll receive the print magazine along with our e-newsletters, action alerts, and invitations to Ms. Studios events and podcasts. We are grateful for your loyalty and ferocity.