Marlon Jones was arrested for taking legal painkillers, prescribed to him by a doctor, after a double knee replacement.

Jones, an assistant fire chief of Utah’s Unified Fire Authority, was snared in a dragnet pulled through the state’s program to monitor prescription drugs after someone stole morphine from an ambulance in 2012. To find the missing morphine, cops used their unrestricted access to the state’s Prescription Drug Monitor Program database to look at the private medical records of nearly 500 emergency services personnel—without a warrant.

Jones was arrested along with another firefighter and a paramedic on suspicion of prescription fraud.

“I got a call at work from the police chief, who I know and work with,” Jones testified before a state senate committee last year. “He said ‘We think you have a problem, you’re taking too many medications. We need to make sure you’re no longer a threat to the community or yourself. So we’re doing this to help you.’”

Jones described in tearful detail what happened next.

“There were three police officers pounding on the door. They said they had a warrant for my arrest and they were going to take me in,” he said. “It was the middle of the day, on my front doorstep, in front of my wife and daughter. I’m handcuffed and stuffed into a police car and they haul me to jail.”

Jones was hit with 14 felony counts but all of them were later dropped.

Now the Drug Enforcement Administration wants that same kind of power, starting with access to an Oregon database containing the private medical data of more than a million people.

The DEA has claimed for years that under federal law it has the authority to access the state’s Prescription Drug Monitor Program database using only an “administrative subpoena.” These are unilaterally issued orders that do not require a showing of probable cause before a court, like what’s required to obtain a warrant.

In 2012 Oregon sued the DEA to prevent it from enforcing the subpoenas to snoop around its drug registry. Two years ago a U.S. District Court found in favor of the state, ruling that prescription data is covered by the Fourth Amendment’s protection against unlawful search and seizure.

But the DEA didn’t stop there. It appealed the ruling to the U.S. Ninth Circuit Court of Appeals in San Francisco and has been fighting tooth and nail ever since to access Oregon’s files on its own terms.

The case pits the full weight of the Obama administration against the state of Oregon and five individual plaintiffs, two of whom (John Doe 2 and John Doe 4) are transgender and take prescription hormone drugs that are covered by Oregon’s prescription monitoring law.

In his 2014 ruling against the DEA, District Court Judge Ancer L. Haggerty called warrantless searches of such data an egregious invasion of privacy.

“It is difficult to conceive of information that is... more deserving of Fourth Amendment protection,” Haggerty said. “By obtaining the prescription records for individuals like John Does 2 and 4, a person would know that they have used testosterone in particular quantities and by extension, that they have gender identity disorder and are treating it through hormone therapy.

“Although there is not an absolute right to privacy in prescription information... it is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records,” he added.

The Obama administration disagrees, and argues that since the records have already been submitted to a third party (Oregon’s PDMP) that patients no longer enjoy an expectation of privacy.

In an affidavit, one of the plaintiffs said he already faces difficulty obtaining the injectible testosterone he’s required to take and that “increased scrutiny by law enforcement, including the DEA, erects another obstacle to obtaining treatment.”

“I would be fearful of being investigated or harassed without reason,” he testified. “I would feel like I was constantly looking over my shoulder.”

Last year, after the charges against Marlon Jones were dropped, a Utah senator introduced a bill that would require police to obtain a warrant to search the database.

“It has become the status quo that when a person comes under their radar they run to the prescription drug database and see what they are taking,” said Sen. Todd Weiler, a Republican—who said that police in Utah searched the PDMP database as many as 11,000 times in one year alone. “If a police officer showed up at your home and wanted to look in your medicine cabinet and you said no, he would have to go and get a search warrant.”

Among the instances of misconduct Weiler cited is the case of an opioid addicted police officer who was caught on video stealing pills from an elderly couple’s home after tracking their prescriptions in the state’s PDMP database. Weiler’s bill survived an attempt by opponents to water down the warrant requirement and was signed into law last March.

In the rush to address a spike in overdose deaths attributed to prescription medication, few have questioned the necessity for greater monitoring of drug dispensing to prevent drug diversion and “doctor shopping.” Every state in the nation, with the exception of Missouri, now has a prescription monitoring program and several have begun expanding their programs.

Wisconsin passed a law in March that liberalized access to its PDMP, making the data available to registered nurses without independent prescribing authority, medical directors, and substance abuse counselors. The law also removed a previous requirement that police obtain a search warrant to access the data.

The federal government is eager to see all this data linked. The Department of Justice has developed a software platform to facilitate sharing among all state PDMPs. So far 32 states already share their PDMP data through a National Association of Boards of Pharmacy program.

The Comprehensive Addiction and Recovery Act (CARA), which passed Congress in March, calls for expanding sharing of PDMP data.

From a privacy standpoint this is problematic for a number of reasons. For starters, there is little uniformity between state PDMP laws. While most PDMPs include thte full name, address, and date of birth of the patient—as well as the name, strength, and quantity of the controlled substance dispensed—statutes vary widely in terms of what drugs are tracked and who qualifies for access.

According to the Department of Justice, only 19 states require a warrant for law enforcement to access their PDMP, and more than a dozen allow out-of-state police agencies access. Less than a quarter of states require that patients are notified when or if their prescription information might be accessed.

To the casual observer the databases are aimed primarily at limiting illicit use of potentially deadly opioid narcotics. And fatalities tied to prescription drugs are frequently cited by policy makers and medical professionals who support mandatory database sharing.

But most state PDMPs encompass a host of common pharmaceuticals—ranging from tightly controlled Schedule II drugs, like OxyContin and morphine, to more innocuous Schedule V substances, such as seizure and epilepsy drugs with virtually no potential for abuse.

Fifteen state registries even house information on non-controlled substances .

Testosterone is a Schedule III controlled substance that in addition the gender identity disorder is used to treat hormone deficiency in men and prostate cancer. It has a “high potential for abuse” as a performance enhancing steroid, according to the DEA, though it’s not clear how much is diverted from legitimate use onto the black market. There are several moderate-to-severe side effects from steroid use, but overdose does not appear to be one of them.

Other drugs covered by state prescription monitoring laws include frequently prescribed medications that have low-to-no overdose potential. These include medications used to treat insomnia, weight loss associated with AIDS, nausea in cancer patients, anxiety disorders, and post-traumatic stress disorder. In fact, opioids represent a tiny proportion of drugs covered by PDMPs.

“The diseases and conditions treated with controlled substances are so common that it is likely that state PDMPs will soon contain sensitive information about the majority of Americans,” said Deborah C. Peel, MD, director of Patient Privacy Rights (PPR).

When Oregon created its PDMP in 200, it took pains to prioritize patient privacy and set strict guidelines for access to the registry, including requiring a court order for law enforcement to search its contents. The DEA ignored that mandate and peppered the state’s registry with warrantless requests for access in pursuit of investigations into drug diversion. The agency argues that it has a “compelling interest” that supplants any privacy protections attached to prescription data for controlled substances and that requiring a warrant “severely limits [its] ability to conduct timely, effective investigations.”

An amicus brief filed in support of the Oregon plaintiffs by the American Medical Association contends the DEA’s position is misguided.

“The primary purpose of PDMPs is healthcare, not law enforcement,” the AMA said, adding that while PDMPs provide for referrals to law enforcement, they are not designed to be “a tool or repository for law enforcement to initiate access to gather information,” as is the case here with the DEA’s administrative subpoena.

Whether the Ninth Circuit agrees with that will have far reaching implications for millions of Americans who rely on prescription medication to manage their illnesses.