“If she was a legitimate employee, she would have to have some agreement in place,” Goodman said. “If I’m an authorized entity sharing private information, I want an assurance I won’t find it on the highway.”

Asked if she was ever presented with any paperwork or agreement that might fit this requirement, Hains said she was not.

“[Adams] never presented me with any paperwork and I never signed anything in that regard,” Hains said.

Goodman said that HIPAA also requires technological protections of patient data, which for many providers often means using encryption, and/or software that tracks who has viewed the information.

“If you wanted to protect the information, you wouldn’t have just attached it. Would it be unusual? No. Would it be a violation of the law? Yes,” Goodman said.

“If I send it to you on your Gmail account, how do I know you’re not sharing it with friends? Anybody you give your password to — your husband, your mother — they now have access.

“That’s where the security fear comes in.”