Court Documents Linked by Filing Date

This page will serve as the master index of all court documents in Dorn v. UnitedHealthcare, listed chronologically as each filing is served.

The initial complaint is coming soon—sometime in the “imminent” future.
See the irony? We learned that word from them.

United Healthcare: A Bureaucratic Hitjob. Let’s Call It What It Was.

What happened to me wasn’t administrative failure — it was administrative assassination.

Coming Soon!

Parallel Violations, Parallel Survivors: How the Mangione and Dorn Cases Reveal a National Pattern of PHI Weaponization

Two very different people. Two very different legal arenas. One unmistakable pattern.

In July 2025, defense attorneys for Luigi Mangione filed a blistering court motion accusing Aetna—owned by UnitedHealth Group—of unlawfully disclosing their client’s protected health information (PHI) to prosecutors. The information included mental health and medication history, and was handed over without a valid subpoena, without Mangione’s consent, and without meeting the narrow legal exceptions outlined under HIPAA.

Meanwhile, a separate but equally devastating story was unfolding just miles away. In a forthcoming civil action, trans woman and Medicaid patient Samara Dorn is preparing to sue UnitedHealthcare of Colorado, Rocky Mountain Health Plans, and UnitedHealth Group for disclosing her PHI—including gender identity, surgical history, and metadata-laced call logs—to local law enforcement and, chillingly, to the Department of Homeland Security.

The disclosure occurred thirty-five days after final contact. No warrant. No subpoena. No clinical emergency. Just a bureaucratic escalation, fueled by metadata and convenience, masquerading as concern.

One Corporate Entity, Two Victims While the legal details differ, both cases trace back to the same empire: UnitedHealth Group. In Mangione’s case, Aetna’s unlawful disclosure placed him at heightened risk in a capital murder prosecution. The leaked information was used to paint him as unstable and dangerous—shaping a death penalty narrative rooted not in evidence, but in psychiatric speculation.

In Dorn’s case, the disclosure to law enforcement created a parallel narrative: not of criminal guilt, but of institutional threat. She was flagged not because she committed a crime, but because her voice, identity, and digital footprint were deemed inconvenient. Through the use of backend tagging, AI-generated profiling, and misclassification, UnitedHealthcare constructed a narrative of risk that never existed—then passed that narrative on to police and federal agencies.

This Was Not Care. It Was Control. Both cases demonstrate a catastrophic breach of trust and legality—not because the PHI disclosures failed to help, but because they were never meant to help. In each instance, patient records were disclosed for the convenience and liability protection of the insurer, not for the safety of the individual or the public.

In Mangione’s case, the mental health data was handed over after investigators began seeking the death penalty—raising serious questions about motive, legality, and institutional betrayal.

In Dorn’s case, the PHI disclosure occurred more than a month after any clinical interaction, in violation of HIPAA’s “imminent threat” standard under 45 C.F.R. § 164.512(j). Her data was used not to intervene in an emergency, but to justify reputational abandonment and surveillance escalation.

Administrative Erasure in Action Dorn’s civil complaint outlines how metadata—call tags, risk flags, internal notes—was used to construct a false paper trail. This digital narrative was then used to reclassify her from “patient” to “public threat,” providing justification for disclosure to law enforcement and DHS. This process, which she calls administrative erasure, mirrors the logic in Mangione’s case: that PHI can be converted into reputational ammunition by the same system that claims to protect it.

What links these two cases is not merely the entity that caused the harm. It’s the infrastructure—the policies, the tools, the logic—that converts care into containment, healing into harm, and records into weapons.

One Shared Fight These cases are not isolated. They are flashpoints in a growing national pattern: vulnerable individuals being profiled, criminalized, or erased under the guise of healthcare compliance.

Aetna gave PHI to prosecutors.

UnitedHealthcare gave PHI to police.

Both actions occurred without proper legal justification.

Both targeted those already marginalized.

Both used medical information to destroy, not protect.

Luigi Mangione is currently fighting for his life in a criminal courtroom. Samara Dorn is preparing to fight for hers in a civil one. Their stories are different—but the machine harming them is the same.

Read the Motion We encourage the public, the press, and policymakers to read the Mangione defense team's powerful motion for themselves. It is available here:

📄 Download the Motion – 2025.07.17 HIPAA Violation – Mangione Defense (Google Drive)

This document is more than a legal filing. It is a warning.

Closing Statement The idea that PHI can be quietly weaponized behind closed doors should terrify everyone. What happened to Luigi Mangione could happen to any criminal defendant. What happened to Samara Dorn could happen to any trans patient, any disabled person, or any Medicaid recipient who speaks too loudly.

We are no longer talking about privacy. We are talking about targeting.

We are no longer talking about compliance. We are talking about complicity.

We are no longer talking about care. We are talking about power.

And together, these cases demand accountability.

The 35-Day ‘Myth’ of Imminent Threat

Introduction This section establishes the legal and factual invalidity of Defendants’ claimed reliance on HIPAA’s “emergency exception” under 45 C.F.R. § 164.512(j). The Defendants disclosed Plaintiff’s protected health information (PHI) to law enforcement 35 days after final contact, without warrant, subpoena, or valid exception.

At no point did Defendants possess a legally cognizable belief that Plaintiff posed an imminent threat to herself or others. The timeline, content, and procedural posture of the disclosure confirm that it was neither protective nor reactive—but retaliatory. This was not emergency intervention. It was surveillance-enabled punishment for asserting healthcare rights.

I. HIPAA’s Emergency Disclosure Exception: Scope and Standard

Under 45 C.F.R. § 164.512(j)(1)(i), HIPAA permits disclosure of PHI without patient authorization when a covered entity, in good faith, believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

To invoke this exception lawfully, four conditions must be met:

Temporal Proximity – Threat must be immediate or about to occur.

Probability – Threat must be more likely than not.

Specificity – A discernible act or target must be foreseeable.

Intervention Capability – Disclosure must be made to someone positioned to prevent the harm.

Failure to meet any of these elements voids the exception. Courts interpreting “imminent” across multiple jurisdictions consistently require that harm be impending and immediate, not merely speculative or delayed.

Doe v. Providence Hospital, 628 F.2d 1354 (D.C. Cir. 1980): “Imminent means the threatened harm is ‘about to occur’—not days or weeks in the future.”

Tarasoff v. Regents, 17 Cal. 3d 425 (1976): Confidentiality may be breached only when “the danger is imminent—i.e., present, serious, and foreseeable.”

People v. Sisneros, 55 P.3d 797 (Colo. 2002): Interprets “imminent danger” as requiring a true emergency, not generalized concern.

Medical literature further narrows this scope: Modern psychiatric and behavioral health literature sharply limits the scope of what can legally or ethically be called “imminent” risk.

According to the American Psychiatric Association’s Practice Guidelines for the Psychiatric Evaluation of Adults (2023), imminent risk is defined as the likelihood of violent or self-harming behavior occurring within the next 24 hours. This aligns with best practices in clinical decision-making, where interventions are triggered by present, acute risk—not long-term projections.

Similarly, in Evaluating Mental Health Professionals and Programs (Oxford University Press, 2022), Gold and Shuman emphasize that risk assessments extending beyond 24 to 48 hours fall into the category of “future risk” and no longer qualify as imminent. Their analysis underlines that disclosures justified under emergency exceptions must be grounded in real-time clinical danger, not speculative possibilities.

Further supporting this distinction, John Monahan’s article The Prediction and Management of Violence in Mental Health Services, published in Behavioral Sciences & the Law (2021), warns that predictive validity of violence risk models diminishes significantly after a 72-hour window. In other words, the further in time a potential risk is projected, the less reliable and legally actionable it becomes.

II. What Actually Occurred: 35 Days of Non-Emergency Silence

December 10, 2024: Final call between Plaintiff and UHC grievance staff. No threats, no escalation, no behavioral health referral.

December 11 – January 13, 2025: No contact initiated by either party. No internal welfare check, no mental health follow-up, no 911 call.

January 14–15, 2025: A UnitedHealthcare employee contacts police and discloses PHI on the 15th

Internal staff acknowledged post-facto: “We probably weren’t allowed to send that...but it’s done.” (Paraphrased.) See Exhibit N, Page 2,

Elapsed time: 35 full days.

PHI Disclosed Includes: Audio recordings of patient calls Medication and psychiatric history Behavioral risk scores Gender-affirming surgical data

No clinical provider authorized or reviewed the disclosure.

The employee admitted, “I’m not supposed to do this…”, suggesting knowledge of impropriety.

III. Legal Analysis: Why the Exception Fails

A. No Imminence Thirty-five days of complete silence—no contact, no incident, no outreach—makes any claim of “imminent” threat categorically invalid. No court has accepted such a delay as compatible with emergency doctrine.

B. No Concrete Threat Plaintiff made no threats to self or others. Emotional tone and political frustration were mischaracterized as danger. Call recordings confirm expressive speech—not crisis or violence.

C. No Clinical Justification No psychiatrist or behavioral health professional authorized the disclosure. HIPAA requires that safety-based disclosures rest on professional judgment, not clerical speculation. Defendants failed this duty.

D. No Valid Recipient The Grand Junction Police Department took no responsive action. No officers were dispatched, and the case was closed without follow-up—indicating no actionable concern even from law enforcement.

E. No Good Faith Defendants cannot rely on good faith when: The disclosing employee expressed doubt and internal conflict (“I’m not supposed to do this”).

The disclosure occurred five weeks after any alleged concern. There was no contemporaneous internal effort to intervene or monitor.

The disclosed materials included extensive non-essential PHI—more aligned with reputational damage than protective urgency.

Good faith must be objectively reasonable. Here, it was absent.

IV. Retaliatory Pattern and Timing Plaintiff had recently: Filed internal grievances over hormone therapy denial Invoked federal and Colorado anti-discrimination protections.

Warned of regulatory complaints

After her final December call, she went silent—choosing legal strategy over continued confrontation. Defendants responded not with resolution, but with silence, followed by a targeted, over inclusive disclosure.

This pattern—escalation, silence, metadata flagging, retaliatory disclosure—constitutes a clear abuse of HIPAA’s safety exception as a tool of institutional control, not care.

V. Colorado Law Reinforcements Colorado statutes mirror HIPAA’s requirements and impose even stricter standards:

C.R.S. § 10-16-104.3(3)(b) – Prohibits disclosure of mental health info absent “serious threat” and necessity to prevent harm.

C.R.S. § 12-245-220 – Requires licensed clinician involvement in emergency disclosures. Scharrel v. Wal-Mart, 949 P.2d 89 (Colo. App. 1997) – Rejects generalized concern as basis for breach. Defendants complied with none of these.

Conclusion This was not emergency care. It was delayed, unjustified retaliation under color of safety. A 35-day delay obliterates any credible invocation of the “imminent threat” doctrine. The PHI disclosure was motivated not by concern—but by complaint fatigue, administrative vengeance, and reputational framing.

To preserve the integrity of HIPAA and state medical privacy law, such misuse must be recognized not only as a violation—but as a weaponization of patient trust.

This section is incorporated as a factual and legal basis for all privacy, negligence, and emotional distress counts within the Plaintiffs Complaint and Demand for Jury Trial.

A PDF copy of The 35-Day ‘Myth’ of Imminent Threat is available HERE