DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Bivens action claims IRS agents engaged in warrantless seizure of 60M medical records of 10M people during raid

Posted on March 14, 2013 by Dissent

Rebekah Kearn of Courthouse News reports:

John Doe Company sued 15 John Doe IRS agents in Superior Court.

“This is an action involving the corruption and abuse of power by several Internal Revenue Service (‘IRS’) agents (collectively referred to as ‘defendants’ herein) during a raid of John Doe Company, in the Southern District of California, on March 11, 2011,” the complaint states. “In a case involving solely a tax matter involving a former employee of the company, these agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians.

“No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property.”

So what company is John Doe Company? The complaint gives us little clues as to their identity except that it’s a HIPAA-covered entity in the Southern District of California. From the description in the complaint, I think it’s likely to be either a large insurance company or a data center for same, as only 1 million of the 10 million individuals allegedly affected are in California.

According to the complaint, the March 11, 2011 raid was related to an IRS investigation into the financial records of a former employee and agents were not authorized to seize any health records of anyone:

The search warrant authorized the seizure of financial records related principally to a former employee of the company; it did not authorize any seizure of any health care or medical record of any persons, least of all third parties completely unrelated to the matter.

The complaint alleges that a lot of sensitive information was removed improperly by IRS agents:

In spite of Defendants’ knowledge that John Doe Company was a HIPAA secure facility, in spite of Defendants’ knowledge that the records they demanded to be searched and seized were medical records of other Americans, Defendants told the company’s IT personnel to transfer several servers of the medical records and patient records to the IRS for search and seizure, otherwise they would “rip” the servers out of the building entirely.

The records contained a lot of sensitive information:

These medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns.

The complaint was filed in San Diego Superior Court on March 11. I’ve uploaded a copy of it  here (pdf).

So… did the John Doe Company notify all 10 million people that their records had been acquired by the IRS? Was HHS notified? Under the prior HITECH regulations, if the John Doe Company believed that there was a substantial risk of harm from these records being in the hands of IRS agents in a less secured environment, did they have an obligation to report and notify?

I emailed the attorney for the John Doe Company to put a few questions to him but did not get a reply by publication time. I will update this entry if I get a reply.

Category: Uncategorized

Post navigation

← Security agency tells Europe to find alternative to risky email
Does a presidential executive order on cybersecurity get a hotel chain off the FTC hook for its breaches? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.