Multistate Coalition Alleges Privacy Breaches and Harm to Public Health
A coalition of twenty states, led by California, today filed a lawsuit against the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Homeland Security (DHS), including their respective secretaries, Robert F. Kennedy Jr. and Kristi Noem.
The lawsuit, filed in the U.S. District Court for the Northern District of California, alleges that the federal government unlawfully transferred sensitive personal health data of millions of Medicaid beneficiaries to DHS for immigration enforcement purposes, without notice or consent.
The complaint seeks declaratory and injunctive relief to halt what the plaintiff states describe as an unprecedented and illegal breach of privacy. The states argue that this action by the Trump administration jeopardizes public health, undermines state Medicaid programs, and violates multiple federal laws, including the Social Security Act, the Privacy Act, HIPAA, and FISMA.
READ: California Man Indicted For First-Degree Murder Of Wife In Arizona Long-Term Care Facility
According to the lawsuit, in June 2025, HHS’s Centers for Medicare & Medicaid Services (CMS) allegedly handed over a “trove” of individuals’ protected health data obtained from states like California, Illinois, and Washington, to DHS. This transfer, the states contend, occurred “without their consent, and in violation of federal law.”
The plaintiffs claim that this policy change was implemented abruptly, without public input or reasoned decision-making, and that it “silently destroyed longstanding guardrails that protected the public’s sensitive health data.”
“If members of our community cannot trust that the government will keep their medical history and other personal data safe, they will think twice about going to the doctor when needed,” the complaint states.
HHS reportedly justified the data sharing by stating it was “to ensure that Medicaid benefits are reserved for individuals who are lawfully entitled to receive them,” implying widespread Medicaid beneficiary fraud. However, the plaintiff states argue that Congress explicitly extended coverage for emergency Medicaid to all U.S. residents, regardless of immigration status. They assert that existing federal systems like the Systematic Alien Verification for Entitlement (SAVE) database are already used for eligibility verification, making this mass data transfer unnecessary for legitimate program oversight.
READ: Appeals Court Sides With Florida In Pronoun Battle With Hillsborough County Trans Teacher
The lawsuit highlights reports that the Department of Government Efficiency (DOGE), with the assistance of technology company Palantir, has been amassing federal benefit data to build a searchable database for various purposes, including assisting U.S. Immigration and Customs Enforcement (ICE) in immigration enforcement actions.
A former Palantir engineer is cited as warning that “combining all that data, even with the noblest of intentions, significantly increases the risk of misuse.”
The plaintiff states express fear that the administration intends to “punish individuals who receive emergency medical care for themselves or their children using Medicaid… by using the data collected from their hospital visit to locate and deport them.” This is compounded by DHS’s reported rescission of a long-standing directive that prohibited ICE from conducting immigration enforcement operations at “sensitive locations” like hospitals.
READ: Political Heavyweights Sound Alarm As NYC Mayoral Nominee’s “Extreme” Views Jolt Dem Establishment
The complaint details the specific harms the states anticipate, including:
- Chilling Effect on Healthcare Access: The data transfer is expected to create a “predictable chilling effect” on individuals, particularly immigrants and mixed-status families, from enrolling in or seeking care through Medicaid programs. This fear could lead to individuals avoiding life-saving treatment, including emergency medical care and prenatal services.
- Financial Strain on States: A reduction in Medicaid enrollment due to fear of data sharing will directly decrease federal funding to states, forcing them to incur increased uncompensated costs for mandated emergency healthcare services. Hospitals, especially those serving low-income and noncitizen populations, are expected to be disproportionately affected.
- Erosion of Trust and Public Health: The states argue that the federal government’s actions undermine the trust essential for the effective administration of public health programs, potentially leading to “dire health consequences” and increased morbidity and mortality.
READ: Victor Davis Hanson Challenges Zohran Mamdani’s “Whiter Neighborhood” Tax Plan
The coalition of states brings five causes of action:
- Violation of the Administrative Procedure Act (APA) – Arbitrary and Capricious: The states argue that the data transfer was an unreasoned decision, failing to consider important privacy and public health consequences and ignoring established federal policies.
- Violation of the APA, Contrary to Law: The lawsuit asserts that the data transfer contravenes the Social Security Act, the Privacy Act, and HIPAA, which impose strict limits on the disclosure and use of personal health information. It highlights that immigration enforcement is not a permissible ground for disclosing Medicaid data.
- Violation of the APA – Rulemaking Without Proper Procedure: The states contend that HHS abandoned or substantially amended well-established confidentiality requirements without providing notice and opportunity for public comment, as required by the APA.
- Spending Clause: Lack of Clear Notice: The states argue that conditioning federal Medicaid funding on consent to unfettered data transfer for immigration enforcement is unconstitutional, as they did not have clear notice of such a condition when accepting federal funds.
- Ultra Vires: The complaint alleges that HHS and DHS acted beyond their statutory authority in disclosing and using Medicaid data for purposes unrelated to Medicaid program administration.
The plaintiff states are: Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New Mexico, New York, Oregon, Rhode Island, Vermont, and Washington.
They seek a declaration that the data transfer was unlawful, a permanent injunction against further such transfers, and the impoundment, disgorgement, and destruction of all unlawfully disclosed Medicaid data.
Please make a small donation to the Tampa Free Press to help sustain independent journalism. Your contribution enables us to continue delivering high-quality, local, and national news coverage.
Connect with us: Follow the Tampa Free Press on Facebook and Twitter for breaking news and updates.
Sign up: Subscribe to our free newsletter for a curated selection of top stories delivered straight to your inbox.
