DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Bivens action claims IRS agents engaged in warrantless seizure of 60M medical records of 10M people during raid

Posted on March 14, 2013 by Dissent

Rebekah Kearn of Courthouse News reports:

John Doe Company sued 15 John Doe IRS agents in Superior Court.

“This is an action involving the corruption and abuse of power by several Internal Revenue Service (‘IRS’) agents (collectively referred to as ‘defendants’ herein) during a raid of John Doe Company, in the Southern District of California, on March 11, 2011,” the complaint states. “In a case involving solely a tax matter involving a former employee of the company, these agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians.

“No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property.”

So what company is John Doe Company? The complaint gives us little clues as to their identity except that it’s a HIPAA-covered entity in the Southern District of California. From the description in the complaint, I think it’s likely to be either a large insurance company or a data center for same, as only 1 million of the 10 million individuals allegedly affected are in California.

According to the complaint, the March 11, 2011 raid was related to an IRS investigation into the financial records of a former employee and agents were not authorized to seize any health records of anyone:

The search warrant authorized the seizure of financial records related principally to a former employee of the company; it did not authorize any seizure of any health care or medical record of any persons, least of all third parties completely unrelated to the matter.

The complaint alleges that a lot of sensitive information was removed improperly by IRS agents:

In spite of Defendants’ knowledge that John Doe Company was a HIPAA secure facility, in spite of Defendants’ knowledge that the records they demanded to be searched and seized were medical records of other Americans, Defendants told the company’s IT personnel to transfer several servers of the medical records and patient records to the IRS for search and seizure, otherwise they would “rip” the servers out of the building entirely.

The records contained a lot of sensitive information:

These medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns.

The complaint was filed in San Diego Superior Court on March 11. I’ve uploaded a copy of it  here (pdf).

So… did the John Doe Company notify all 10 million people that their records had been acquired by the IRS? Was HHS notified? Under the prior HITECH regulations, if the John Doe Company believed that there was a substantial risk of harm from these records being in the hands of IRS agents in a less secured environment, did they have an obligation to report and notify?

I emailed the attorney for the John Doe Company to put a few questions to him but did not get a reply by publication time. I will update this entry if I get a reply.

Related posts:

  • Court Authorizes Service of John Doe Summons Seeking the Identities of U.S. Taxpayers Who Have Used Virtual Currency 
Category: Uncategorized

Post navigation

← Security agency tells Europe to find alternative to risky email
Does a presidential executive order on cybersecurity get a hotel chain off the FTC hook for its breaches? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware
  • Senator Chides FBI for Weak Advice on Mobile Security
  • Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacks
  • Kelly Benefits updates its 2024 data breach report: impacts 550,000 customers
  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people
  • Terrible tales of opsec oversights: How cybercrooks get themselves caught

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Kids are making deepfakes of each other, and laws aren’t keeping up
  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.