Anti-abortion group accused of electronically intercepting patients’ exchanges with clinic
A Massachusetts woman used an online platform to schedule an appointment seeking abortion medication from a local clinic in May. Two minutes after she uploaded her insurance information to finalize the appointment, a representative from a nearby “pregnancy crisis center” allegedly called the woman and, purporting to be the clinic, told her she needed to come in for an ultrasound prior to obtaining the medication.
The crisis center — the Attleboro Women’s Health Center (AWHC) — had intercepted the electronic communications between the abortion clinic and the woman, according to a lawsuit filed by the clinic, Four Women Health Services.
AWHC allegedly called the woman, listed in the lawsuit as Jane Doe 6, on her personal cell phone despite her never having provided the number to them, according to the suit. Jane Doe 6 is one of four known women, the lawsuit said, whose communications are believed to have been intercepted by the crisis center.
In September, the federal judge presiding over the case ordered AWHC to stop intercepting the clinic’s electronic communications and refrain from contacting its patients, saying that Four Women had “demonstrated a sufficient likelihood of success on the merits of its claims” that AWHC violated the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act and the Massachusetts wiretap statute.
The big picture
The case is the latest example of how reproductive health patients face unusual digital privacy threats as they seek care.
In February, Sen. Ron Wyden (D-OR) released the results of an investigation his office undertook into how an anti-abortion political organization obtained mobile phone location data from a data broker in order to target 600 abortion clinic visitors in 48 states with anti-abortion ads.
The senator asked the Federal Trade Commission and the Securities and Exchange Commission to take action against the company allegedly responsible for the scheme.
“If a data broker could track Americans’ cell phones to help extremists target misinformation to people at hundreds of Planned Parenthood locations across the United States, a right-wing prosecutor could use that same information to put women in jail,” Wyden said in a statement at the time.
The Four Women case is “pretty unique,” according to Daly Barnett, a staff technologist focused on reproductive health at the Electronic Frontier Foundation.
As with the Wyden findings, the Massachusetts case is “another example of how fraught and sensitive this issue space is,” Barnett said.
A staffer answering the phone at AWHC said defendants Catherine Roman, Nicole Carges and Darlene Howard did not want to comment for this story.
In a court filing, the defendants argued that Four Women has “no real evidence to support its allegations that the defendants engaged in illegal wiretapping and computer fraud.”
A history of tension
Four Women is the only clinic offering surgical abortion services in southeastern Massachusetts and is only one of three providing abortion care generally, according to its complaint.
AWHC has long sought to confuse Four Women patients and has historically deceived them when they have inadvertently come into its offices, the Four Women complaint alleges.
The pregnancy crisis center moved directly next door to Four Women years ago and AWHC workers allegedly patrol a shared parking lot, giving Four Women patients anti-abortion literature, according to court filings.
AWHC is not a licensed medical facility, meaning it is illegal for it to provide ultrasounds, gynecological care or any of the other medical services it advertises, according to the complaint. Four Women said that at least one prospective patient who mistakenly ended up at AWHC was told she could not obtain the abortion pill until after AWHC performed what its staff said was an ultrasound, the lawsuit said.
After the ultrasound, which is not considered medically necessary for abortion medication to be dispensed, the patient was allegedly told she needed to come back two weeks later for a second ultrasound in order to obtain the medication to terminate her pregnancy, the lawsuit said.
Four Women said that AWHC’s alleged tactics could have endangered lives because delaying reproductive care can be fatal in some pregnancies.
Unanswered questions
It’s unclear if more than four patients could be victims of AWHC’s alleged interception of electronic communications between women and the abortion clinic. It also remains unclear how the communications between Four Women and its patients were intercepted. An insider with access to Four Women login credentials or a hack are both seen as possible entry points.
Regardless, outside experts say, the real-time nature of the interference makes it clear there was a breach of some kind.
“The speed at which these patients were getting the [AWHC] contact after delivering those [Four Women booking] forms — that's a very clear indication of compromise,” Barnett said.
The clinic’s cloud-based scheduling platform and health care management system are the “most likely points through which AWHC may have accessed Four Women patient information,” according to a September affidavit submitted by a cybersecurity incident responder from the company Rapid7.
Four Women believes AWHC is “hacking into and obtaining information from Four Women’s Klara and/or Athena platforms,” its court filings say, citing Rapid7’s findings. The abortion clinic acknowledges that it is not yet clear how AWHC infiltrated its systems, leaving the possibility of an insider threat open.
Four Women uses Klara Health for scheduling and Athena Health for managing electronic health records and other data.
Klara is managed remotely, and the messages it enables are not visible or stored anywhere on the Four Women website, according to an affidavit from the Rapid7 incident responder.
Athena Health, like Klara, is cloud based and all of the patient visitation schedules it stores “resides on the platform,”the Rapid7 consultant’s affidavit said.
Rapid7 declined to comment when asked for additional detail on its findings and whether the company’s incident responder believed a hack was likely.
Confused patients
The alleged AWHC scheme used two tactics to achieve its goal of delaying or blocking women seeking abortions, according to Four Women’s court filings.
AWHC tries to prevent patients from “attending the appointment they scheduled with Four Women — in some cases by hijacking the potential appointment, and in other cases by leading the patient to believe their existing appointment with Four Women has been canceled,” a court filing alleged.
“Defendants’ hacking into Four Women’s confidential patient-client communications system to access that confidential information is a gross invasion of Four Women’s privacy and the privacy of the patients that must be stopped,” it added.
Four Women only learned about the alleged interceptions when patients reported they had heard from AWHC staffers who knew about their clinic appointments, according to the complaint.
In at least three cases, the AWHC outreach to women occurred in “real time,” directly following communications with Four Women, according to court filings.
AWHC allegedly called one woman, Jane Doe 5, as she was in the middle of messaging Four Women to make her ultrasound appointment. Jane Doe 5 was allegedly left with the impression that she had scheduled an appointment with Four Women when she had in fact booked her appointment with AWHC, whose staff called her minutes after she began scheduling conversations with the clinic.
The pregnancy crisis center also allegedly contacted another woman on the day of her Four Women appointment when she had never before been in touch with AWHC, according to the abortion clinic’s court filings, which say that AWHC staff pushed the woman to come to their offices instead.
Patients not seeking abortions also were targeted by AWHC, according to the lawsuit.
Minutes after a Four Women patient seeking birth control made an appointment with the clinic, she received a call from AWHC, whose staff allegedly led her to believe she was speaking with Four Women. She was told that the clinic could not give her birth control and was instead invited to a diaper give-away, according to the lawsuit.
Some of the women ensnared in the alleged scheme completed complaint forms against AWHC saying they are willing to share their experiences with law enforcement.
“I was referred to Four Women by my obgyn and the day of my appointment Attleboro Womens (AWHC) started calling my personal number,” one of the women’s forms said. “I haven’t reached out to them at all. They tried setting me up with someone from their office to discuss my options after explicitly explaining that I did not need their services.”
While this case is unusual, Barnett said it is nonetheless a reminder of why society needs to “think bigger” when it comes to protecting the privacy of those seeking reproductive health care.
“Health data right now feels very sensitive and scary when health care is being criminalized across the country,” Barnett said.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.