[Nadya]

I work in a tech-related healthcare field where I'm required to undergo HIPAA training and (often) end up needing to educate clients on potential violation risks. Nowhere as good as a lawyer but I deal with it on a daily basis at least. So take this as the typical "I am not your lawyer or pretending to be a lawyer - go speak with an actual lawyer" disclaimer.

>Wasn't this a HIPAA violation?

100% yes that was a HIPAA violation and honestly anything shy of giving your information to people who actually need it (aka: any hospital/practitioner you visit who should be aware of your medical history) is a violation with very few exceptions (mostly legal ones). Gossiping about patients is probably one of the most common violations.

>If yes, what do you even do about it?

Depends how much you care and how long it has been since the event happened and you became aware of the violation. If it happened within the last 6 months you can report it online through the process xapata linked you. If it's been over 6 months it's too late to report. I'm not sure if "it happened but I didn't know it was a violation until recently" counts as a start date for the "aware of the occurrence" limitation. Would be a great question for an actual lawyer.

You also don't know what else could possibly have been said about you or your medical history - so I'd keep that in mind when deciding if this violation is a "big deal" to you personally or not.