Unless you signed a release, this is a clear HIPPA violation-
I would Demand upon payment:
1. Removal of all entries in Credit reporting system
2. Certification of the removal of all identifiable health information from their system by an Officer of their company.
3. Provide copies of all documentation in regards to requesting identifiable health information.
Limits on Use of Personal Medical Information. The Privacy Rule sets limits on how health plans and covered providers may use individually identifiable health information. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside entity for purposes not related to their health care.