HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

20 states sue HHS and DHS over alleged Medicaid data sharing

Written by Farah Amod | Jul 11, 2025 8:52:32 PM

A coalition of state Attorneys General claims the personal data of millions of Medicaid recipients was unlawfully disclosed to federal immigration authorities.

 

What happened

Twenty U.S. states have filed a lawsuit against the Department of Health and Human Services (HHS), the Department of Homeland Security (DHS), and their respective secretaries over the alleged unauthorized disclosure of Medicaid data to immigration officials. The complaint centers on claims that the data of millions of Medicaid recipients was shared with DHS, including Immigration and Customs Enforcement (ICE), without proper legal authority.

The lawsuit follows a report by the Associated Press in June that uncovered internal communications showing HHS officials attempted to prevent the transfer but were overruled by advisors to Secretary Robert F. Kennedy Jr. The disclosures reportedly affected Medicaid recipients in California, Illinois, Washington State, and Washington, D.C.

 

Going deeper

The Medicaid program serves over 78 million Americans and is administered by states in partnership with the federal government. While states have the flexibility to shape eligibility, they are required to protect personal health data under federal privacy laws.

Prosecutors allege that the data was disclosed to DHS with the intention of verifying immigration status, despite long-standing policy norms that prevent Medicaid data from being used for immigration enforcement. The CMS reportedly gave staff only 54 minutes to comply with the directive to transfer the data.

States including New York, Oregon, Minnesota, and Colorado, which also offer Medicaid coverage to undocumented immigrants, were not part of the data transfer, and their identifiable recipient data were not submitted to CMS.

The lawsuit claims the disclosures violated multiple federal statutes, including HIPAA, FISMA, the Privacy Act, and the Social Security Act. The coalition is seeking a court order to stop any further data sharing and to prevent DHS from using already shared Medicaid data for enforcement purposes.

 

What was said

HHS spokesperson Andrew Nixon confirmed the transfer occurred and stated that the department acted within its legal authority to ensure Medicaid benefits are reserved for those lawfully eligible. DHS also supported the move, citing concerns about unauthorized immigrants receiving federally funded benefits.

California Attorney General Rob Bonta, who is leading the lawsuit, called the data sharing illegal and harmful. “The Trump Administration has upended longstanding privacy protections,” he said. “We’re headed to court to prevent any further sharing of Medicaid data and to ensure any of the data that’s already been shared is not used for immigration enforcement purposes.”

 

The big picture

The case brings legal and ethical issues into focus regarding how health data is used in the context of immigration enforcement. Although data sharing between states and federal agencies is common in Medicaid administration, applying that information to unrelated enforcement efforts would mark a departure from established practice. The result may shape future federal data governance, particularly for programs that serve vulnerable communities.

 

FAQs

Can Medicaid data legally be shared with immigration enforcement agencies?

Federal law permits Medicaid data sharing for purposes tied to program administration, but using it for immigration enforcement is not standard practice and is now the subject of legal dispute.

 

What is the Spending Clause, and why is it mentioned in the lawsuit?

The Spending Clause allows Congress to set conditions on the use of federal funds. The lawsuit argues that data-sharing actions violated those conditions by repurposing Medicaid data in ways not tied to its intended use.

 

Does HIPAA cover Medicaid data shared between agencies?

Yes. HIPAA restricts the use and disclosure of protected health information, including data from Medicaid enrollees, except under specific circumstances. Unauthorized sharing with non-health-related federal agencies may violate those protections.

 

What happens if the court rules in favor of the states?

The court could issue an injunction to block future data transfers and prohibit DHS from using any Medicaid data already received for immigration enforcement.

 

How could this case affect undocumented immigrants seeking medical care?

Advocates warn that perceived breaches of privacy could discourage individuals from seeking care or enrolling in Medicaid, even in states where such access is legal due to fear of enforcement consequences.