Bivens action claims IRS agents engaged in warrantless seizure of 60M medical records of 10M people during raid

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=12021

Rebekah Kearn of Courthouse News reports:

John Doe Company sued 15 John Doe IRS agents in Superior Court.

“This is an action involving the corruption and abuse of power by
several Internal Revenue Service (‘IRS’) agents (collectively referred
to as ‘defendants’ herein) during a raid of John Doe Company, in the
Southern District of California, on March 11, 2011,” the complaint
states. “In a case involving solely a tax matter involving a former
employee of the company, these agents stole more than 60,000,000
medical records of more than 10,000,000 Americans, including at least
1,000,000 Californians.

“No search warrant authorized the seizure of these records; no
subpoena authorized the seizure of these records; none of the
10,000,000 Americans were under any kind of known criminal or civil
investigation and their medical records had no relevance whatsoever to
the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA]
facility warning on the building and the IT portion of the searched
premises, and the company executives each warned the IRS agents of
these privileged records. The IRS agents ignored and discarded each of
these warnings, ignored their own published and public-reliant rules
and governing ethical requirements, and ignored the limitations of the
court’s search warrant authorization, seizing the records under threat
of destroying company property.”

So what company is John Doe Company? The complaint gives us little
clues as to their identity except that it’s a HIPAA-covered entity in
the Southern District of California. From the description in the
complaint, I think it’s likely to be either a large insurance company
or a data center for same, as only 1 million of the 10 million
individuals allegedly affected are in California.

According to the complaint, the March 11, 2011 raid was related to an
IRS investigation into the financial records of a former employee and
agents were not authorized to seize any health records of anyone:

The search warrant authorized the seizure of financial records related
principally to a former employee of the company; it did not authorize
any seizure of any health care or medical record of any persons, least
of all third parties completely unrelated to the matter.

The complaint alleges that a lot of sensitive information was removed
improperly by IRS agents:

In spite of Defendants’ knowledge that John Doe Company was a HIPAA
secure facility, in spite of Defendants’ knowledge that the records
they demanded to be searched and seized were medical records of other
Americans, Defendants told the company’s IT
personnel to transfer several servers of the medical records and
patient records to the IRS for search and seizure, otherwise they
would “rip” the servers out of the building entirely.

The records contained a lot of sensitive information:

These medical records contained intimate and private information of
more than 10,000,000 Americans, information that by its nature
includes information about treatment for any kind of medical concern,
including psychological counseling, gynecological counseling, sexual
or drug treatment, and a wide range of medical matters covering the
most intimate and private of concerns.

The complaint was filed in San Diego Superior Court on March 11. I’ve
uploaded a copy of it  here (pdf).

So… did the John Doe Company notify all 10 million people that their
records had been acquired by the IRS? Was HHS notified? Under the
prior HITECH regulations, if the John Doe Company believed that there
was a substantial risk of harm from these records being in the hands
of IRS agents in a less secured environment, did they have an
obligation to report and notify?

I emailed the attorney for the John Doe Company to put a few questions
to him but did not get a reply by publication time. I will update this
entry if I get a reply.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.