Rebekah Kearn of Courthouse News reports:
John Doe Company sued 15 John Doe IRS agents in Superior Court.
“This is an action involving the corruption and abuse of power by several Internal Revenue Service (‘IRS’) agents (collectively referred to as ‘defendants’ herein) during a raid of John Doe Company, in the Southern District of California, on March 11, 2011,” the complaint states. “In a case involving solely a tax matter involving a former employee of the company, these agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians.
“No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property.”
So what company is John Doe Company? The complaint gives us little clues as to their identity except that it’s a HIPAA-covered entity in the Southern District of California. From the description in the complaint, I think it’s likely to be either a large insurance company or a data center for same, as only 1 million of the 10 million individuals allegedly affected are in California.
According to the complaint, the March 11, 2011 raid was related to an IRS investigation into the financial records of a former employee and agents were not authorized to seize any health records of anyone:
The search warrant authorized the seizure of financial records related principally to a former employee of the company; it did not authorize any seizure of any health care or medical record of any persons, least of all third parties completely unrelated to the matter.
The complaint alleges that a lot of sensitive information was removed improperly by IRS agents:
In spite of Defendants’ knowledge that John Doe Company was a HIPAA secure facility, in spite of Defendants’ knowledge that the records they demanded to be searched and seized were medical records of other Americans, Defendants told the company’s IT personnel to transfer several servers of the medical records and patient records to the IRS for search and seizure, otherwise they would “rip” the servers out of the building entirely.
The records contained a lot of sensitive information:
These medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns.
The complaint was filed in San Diego Superior Court on March 11. I’ve uploaded a copy of it here (pdf).
So… did the John Doe Company notify all 10 million people that their records had been acquired by the IRS? Was HHS notified? Under the prior HITECH regulations, if the John Doe Company believed that there was a substantial risk of harm from these records being in the hands of IRS agents in a less secured environment, did they have an obligation to report and notify?
I emailed the attorney for the John Doe Company to put a few questions to him but did not get a reply by publication time. I will update this entry if I get a reply.