What They Take When You Walk In

Most look like medical clinics. Most are not.

Most look like medical clinics. Most are not.

A pregnant woman in a small town in Louisiana walks into a building on a state highway. The sign outside says Pregnancy Center. The waiting room looks like a clinic. A volunteer in a white coat hands her a clipboard with an intake form.

Her last menstrual period.

Whether she has ever been pregnant before, and what happened.

Whether she drinks, smokes, or uses drugs. Whether she has ever had a sexually transmitted infection.

The name and contact information of the person she lives with. Her income. Her ethnicity.

She fills it out — and she believes she is in a medical office. The forms reference HIPAA. The volunteers ask the kinds of questions most doctors ask. And there is an ultrasound machine in the back room.

Three years later, a Sales and Customer Service Specialist for Next Level CMS demonstrates the company's database in a training video. The video is accessible on the open internet for a period of weeks or months. It contains the full names of 13 women who visited The Unexpected Pregnancy Center in New Iberia, Louisiana, along with their due dates, last menstrual periods, and whether they received an ultrasound or a pregnancy test. In another section of the video, a map shows where each woman lives.

A nonprofit watchdog, the Campaign for Accountability, finds the video. Researchers cross-reference the names with social media profiles and confirm the women are real people living in or near New Iberia. WWNO, the New Orleans NPR affiliate, independently verifies the match.

The women do not know.

This piece is about how that happened, and how it is happening still, and why almost no one is going to stop it.

I want to slow down here, because the regulatory architecture beneath this story is the part that gets skipped, and the part that, once you understand it, makes the rest of the story unsurvivable as anything but deliberate.

The Health Insurance Portability and Accountability Act (HIPAA) is the federal law most Americans assume protects the privacy of their medical information. It is the very law that requires the form you sign at every doctor's office. It is the law that makes a pharmacist whisper. It is the law that determines whether a hospital can tell your employer why you missed work — or whether they can discuss your medical information with your spouse.

It does not apply to crisis pregnancy centers because the vast majority of them are not licensed medical providers. They do not bill insurance. They do not employ physicians. They do not perform diagnostic procedures. The Congressional Research Service — Congress's nonpartisan research arm — confirmed this in plain language: "some nonprofit entities, often referred to as 'crisis pregnancy centers,' may offer a limited range of free pregnancy options, such as counseling, but may not provide licensed medical services. Such entities might receive information about visitors' reproductive health such as pregnancy status and length of gestation. However, such an entity may not be subject to the HIPAA Privacy Rule if it does not qualify as a health care provider, and may not be covered by the FTC Act if it is a nonprofit".

Read that twice. The Federal Trade Commission Act, which prohibits deceptive trade practices and which covers most non-HIPAA entities that handle health data — period-tracking apps, fitness trackers, telehealth platforms — does not apply to crisis pregnancy centers either, because most of them are nonprofits, and the FTC Act exempts nonprofits.

In the entire federal regulatory landscape governing the privacy of personal health information, there are two main frameworks. Crisis pregnancy centers are exempt from both. They sit in the only legal gap in American health-information regulation that exempts an entity from both federal frameworks.

A 2024 piece in Health Affairs by Carmel Shachar, a health-law expert at Harvard, described the situation precisely: "Generally, a crisis pregnancy center that provides services for free and does not bill health insurance does not meet the definition of a covered entity under HIPAA and therefore the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) do not apply". That was an HHS official's response to NBC News, under the Biden administration, when asked whether a recent regulation strengthening HIPAA protections for reproductive health data covered CPCs.

The administration that wanted HIPAA to apply to these facilities concluded it could not.

This would be a regulatory failure if the facilities in question were small, scattered, and operating in isolation. They are not.

As of 2019, there were approximately 2,600 crisis pregnancy centers in the United States, in contrast to 780 abortion clinics. Newer estimates put the number at 2,500 to 4,000, with the centers speaking with over one million people each year. Scholars estimate that in post-Dobbs America, 57 percent of the population lives closer to a CPC than to an abortion clinic, and in thirteen states, that figure is 99 percent.

The largest network among them is Heartbeat International, which says it has over 3,600 affiliates around the world. Heartbeat operates a 24/7 hotline called Option Line that, by its own promotional account, has spoken with over 8 million women since 2003.

Eight million women. None of them protected by HIPAA. None of them protected by the FTC Act. All of them giving information to an organization whose stated mission is preventing abortion.

In 2017, Heartbeat International introduced what it called a "game-changer" in its work: a centralized data infrastructure called Next Level CMS. Heartbeat's president Jor-El Godsey announced the system at the organization's annual conference in Chicago. Next Level promotes itself as a system that "harnesses the power of big data" and that "makes sure that no client ever falls through the cracks from the moment you say ‘Hello.’"

Privacy International, the British digital rights organization that first investigated Next Level in 2019, documented what the system collects from women who visit affiliated centers: "name, address, email address, ethnicity, marital status, living arrangement, education, income source, alcohol, cigarette, and drug intake, medications, medical history, STI history, name of referral, pregnancy symptoms, pregnancy history, medical testing information, and eventually ultrasound photos".

That is more comprehensive than what most actual medical providers collect at intake. And it is being collected by an organization to which no medical privacy law applies.

There is a moment in a 2022 recording from Heartbeat International's Annual Conference, captured in the documentary Preconceived and reproduced in a 2024 essay by Susannah Baruch, the Executive Director of Harvard Law School's Petrie-Flom Center for Health Law Policy, that I want to put on the record carefully. A speaker at the conference, addressing other CPC operators, says this:

Read that as many times as you need. The speaker is describing tracking individual women across devices, by the SIM card identifier in their phone, to measure whether digital advertising eventually drove them to a Heartbeat-affiliated center. This is surveillance-industry methodology. This is the data architecture of targeted advertising. It is being applied to women looking for pregnancy resources in the most vulnerable moment of their lives.

Heartbeat's own promotional video for Next Level, also captured in Preconceived, calls the system a "data mine" and says: "The data that will be collected actually will benefit everyone! It will be open to everyone! We will have, with Next Level, our own data mine, that we can truly use to find answers to the kind of questions that will make us even more effective."

A data mine. Open to everyone. The pronouns are doing work in that sentence — the "everyone" is not the women whose data has been mined.

The Louisiana breach in May 2024 is the case I want to return to, because it is the moment when this stopped being theoretical.

Investigative reporter Jessica Valenti, in her newsletter Abortion, Every Day, obtained training videos from Heartbeat International and reported on them. The videos showed Khristey Reeves, a "Sales and Customer Service Specialist" for Next Level, demonstrating how to use the software to thousands of CPC affiliate trainees. In the demonstration, Reeves scrolled through real client records belonging to thirteen women who had visited The Unexpected Pregnancy Center in New Iberia, Louisiana.

Visible on the training video: full names, due dates, last menstrual periods, ultrasound and pregnancy test status, ethnicity, marital status, living arrangement, education, employment, income.

The Campaign for Accountability, after finding the video, filed a complaint with the U.S. Department of Health and Human Services. That complaint is what produced the official HHS acknowledgment that crisis pregnancy centers are not HIPAA-covered entities. The complaint that began as an attempt to hold one CPC accountable produced a federal government finding that the entire industry is exempt from federal privacy law.

The Campaign for Accountability subsequently asked Louisiana Attorney General Liz Murrill to investigate The Unexpected Pregnancy Center for violations of the Louisiana Deceptive Trade Practices Act and the Louisiana Database Security Breach Notification Law. The center's website continues to assure clients that "your visit and any information you share with us is completely confidential" and that the center "will not share any personal information about you or your visit with anyone outside of our organization".

The thirteen women's data was, for a period in 2024, on the open internet.

This is not the first warning.

In September 2022, three months after the Supreme Court overturned Roe v. Wade, when the privacy of reproductive health data became, overnight, a question of legal exposure, Senator Elizabeth Warren sent a formal letter to Heartbeat International president Jor-El Godsey raising specific concerns about Next Level CMS. The letter cited Heartbeat's own promotional language about "harnessing the power of big data." It noted that women contacting CPCs share "sexual and reproductive histories, test results, [and] ultrasound photos". And it raised the specific concern that "the lack of transparency and lack of protection will allow the data Heartbeat International and its affiliates collect to 'be used in pregnancy- and abortion-related prosecutions'".

Heartbeat's response, as reported by Valenti, was to retain the First Liberty Institute, a religious-liberty legal organization, to push back on Warren's questions. First Liberty attorney Jeremy Dys accused Warren of "encouraging attacks at crisis pregnancy centers" and wrote that her "calculated rhetoric encouraged vandals who have unleashed their criminal activity across the country". Heartbeat's lawyers assured Warren that "confidentiality has been a core principle for life-affirming organizations for decades".

Two years later, the names of thirteen women were on the open internet.

I want to be explicit about the stakes, because they are not abstract.

There are at least three named cases in the recent American legal record of women being prosecuted for pregnancy outcomes — stillbirths, miscarriages, abortions — using their digital data as evidence.

The infrastructure to prosecute pregnancy outcomes already exists in this country. Search histories have been subpoenaed. Text messages have been obtained. Period-tracking apps have produced data used in legal proceedings. The CPC database is one more source feeding the same machine.

Tara Murtha, director of strategic communications at the Women's Law Project, puts the question precisely: "Given its anti-abortion mission, why should anyone trust that Heartbeat International would not share personal data it is storing with law enforcement investigating women where pregnancy and abortion are criminalized?"

There is no good answer to that question from Heartbeat's side. The organization's stated mission is to prevent abortion, and the centers it operates collect comprehensive personal information from women who, in many cases, are considering or have had abortions. This includes states in which many of those centers operate, and now criminally prosecute abortion. Legal protections that would normally prevent this kind of information from being shared with law enforcement do not apply.

The conditions for what advocates call "an abortion surveillance state" are not being built. They have been built. The architecture is already standing. What is missing is the prosecution that establishes the precedent. Once that prosecution happens, the rest of the system is already in place to do its work.

Some movement, recently, but not enough.

Following the Campaign for Accountability complaint, HHS issued a formal letter acknowledging that CPCs are not HIPAA-covered. In response, Heartbeat International began advising affiliates not to invoke HIPAA in their patient communications, and the smaller umbrella organization NIFLA issued similar guidance. But the guidance is voluntary. The Record reported in July 2025 that some CPCs continue to mislead women about HIPAA protections.

There is also a live case at the Supreme Court. The New Jersey Attorney General's office issued a subpoena to a chain of CPCs, First Choice Women's Resource Centers, to investigate concerns about misleading donors, unlicensed practices, patient privacy violations, and false medical claims. The chain refused to comply. The case has now reached the Supreme Court, which is being asked to decide whether the state's subpoena power can compel disclosure from a CPC. A ruling in favor of the centers would meaningfully limit state-level accountability for the entire industry.

Heartbeat International's current public position, as stated in a recent letter to The Record, is that affiliates voluntarily implement privacy and security practices that align with HIPAA standards.

Carmel Shachar's response: the centers are "benefiting from the reputation of HIPAA without having the accountability of HIPAA".

The best marketing ideas come from marketers who live it. That’s what The Marketing Millennials delivers: real insights, fresh takes, and no fluff. Written by Daniel Murray, a marketer who knows what works, this newsletter cuts through the noise so you can stop guessing and start winning. Subscribe and level up your marketing game.

I have been writing about Project 2025 for the past year, page by page. The Health and Human Services chapter, written by Roger Severino, explicitly calls for the federal government to redirect funding to crisis pregnancy centers. Saving America by Saving the Family, Heritage's 2025 supplementary publication, makes the same recommendation, but more aggressively.

The legal infrastructure protecting CPCs from accountability — the First Liberty Institute, NIFLA, the NIFLA v. Becerra precedent that struck down California's CPC disclosure law — is the same legal infrastructure built into the Project 2025 implementation pipeline. The funding pipeline is the same pipeline. The personnel pipeline is the same pipeline. There is one apparatus, and the CPC data infrastructure is one of its arms.

The women who walked into The Unexpected Pregnancy Center in New Iberia did not walk into a rogue facility. They walked into a node of a national network deliberately funded, legally protected, and politically expanded by an administration whose foundational document calls for exactly this kind of infrastructure. The breach was not a glitch. The breach was a feature of a system working as designed.

The thirteen women in New Iberia are real. They live in a small town in Louisiana today. Some of them, presumably, still do not know that their names appeared on a training video that was, for a period, accessible to anyone with an internet connection. Some of them, presumably, have continued to receive services from The Unexpected Pregnancy Center, which still states on its website that client information is held in strict confidence.

The women whose data is in the Next Level CMS database — the women who came through the doors of any of Heartbeat International's 3,600 affiliated centers since 2017 — number in the millions. Their information is held by an organization with no legal obligation to protect it, no legal obligation to delete it, and no legal obligation to notify them if it is shared, sold, lost, leaked, or subpoenaed. That information sits inside a database whose own promotional materials describe it as a "data mine." It sits inside a database whose architects, in a 2022 conference recording, openly describe tracking SIM card identifiers on clients' phones.

A senator has raised this. A state attorney general has raised this. A Harvard health-law expert has raised this. The Congressional Research Service has raised this. Time magazine has raised this. The Electronic Frontier Foundation has raised this. The ACLU has raised this. Privacy International raised this in 2019, six years before the rest of us caught up.

The system is still standing. The data is still being collected. The breach in Louisiana, the only documented case of an actual public exposure, produced an HHS letter that confirmed the centers were never bound by federal law in the first place. The fix that emerged was a voluntary advisory from the largest umbrella organization, which advised its affiliates not to invoke HIPAA in their patient communications. The data collection itself was not affected. The database remains operational. The training videos are still being made.

A pregnant woman walks into a building on a state highway. The sign outside says Pregnancy Center. She fills out the form. She believes she is in a medical office.

She is in a node of a national surveillance infrastructure, built deliberately, protected legally, and aligned with an administration whose explicit policy goal is to make her decision about her pregnancy a matter of state interest. What she gives them, they keep. What they keep, they share. What they share, in a country building toward the criminal prosecution of pregnancy outcomes, is evidence.

f you work in fintech or finance, you already have too many tabs open and not enough time.

Fintech Takes is the free newsletter senior leaders actually read. Each week, I break down the trends, deals, and regulatory moves shaping the industry — and explain why they matter — in plain English.

No filler, no PR spin, and no “insights” you already saw on LinkedIn eight times this week. Just clear analysis and the occasional bad joke to make it go down easier.