IRS Facing Lawsuit Over HIPAA Violations Considered a Data Breach of Ten Million Records With Unauthorized Seizure
Posted Mar 15 2013 10:42am
The class action lawsuit does not name the individual company and called it “the John Doe Company” who filed the case. The IRS is stated as not being helpful with supplying information and the lawsuit is looking for $25,000 per individual compensation. This has all happened in southern California and the agents for the IRS conducted the stated unlawful search and seizure in 2011. It was just yesterday I included the Agency in my series on the Attack of the Killer Algorithms due to software issues with credits for education being an issue and not calculating properly.
“No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property”
Not too long ago I suggested that HIPAA rules should be expanded and combined with other privacy laws so we could see where there are areas of conflict, duplication or whatever. In other words have all privacy and security related information aggregated to where it could be accessed in one place. This is getting to be more of a problem today and it’s not just in healthcare. I might guess there are many HIPAA covered entities that may not be aware they are such and they could be operating under other privacy or security entities at the same time.
The lawsuit alleges that the IRS violated the 4th amendment and that there was no reason for accessing the records and no search warrant was requested. The records taken are said to include the personal health records of all of the California state judges as well. This certainly is making more of a case for digital laws in the US. With complexities today and investigating items like this, it is getting tedious to not have some of the IT infrastructure rules spelled out, although the latest HIPAA rules do a much better job, but again access here I think is a big one to think about. I am guessing these were largely paper records from the sound of the article but that may not be totally inclusive. BD
A HIPAA-covered entity of the Southern District of California announced today that it is suing 15 Internal Revenue Service (IRS) agents for “an unlawful search and seizure conducted on March 11, 2011.” Though the surrounding details of the health data breach and pending class action lawsuit are minimal, Courthousenews.com reports that IRS agents have been accused of improperly accessing and taking 10 million medical records, such as the personal health records of all California state judges.
The covered entity, called John Doe Company, states that the IRS agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians. John Doe Company argues in its suit that because, in part, the agents had no reason to access the records in the records in the first place and abused their power in stealing the medical records, the 4th amendment was violated.