IRS unlawfully seized 60M medical records

An unnamed HIPAA-covered entity in Southern California is suing the U.S. Internal Revenue Service, alleging that agents executing a warrant stole medical records for 10 million Americans. Those affected could include every state judge in California, as well as "prominent citizens in the world of entertainment, business and government, from all walks of life," according to the complaint.

Fifteen IRS agents executed a search warrant on March 11, 2011, for financial data pertaining to a former employee of the company, however, "it did not authorize any seizure of any healthcare or medical record of any persons, least of all third parties completely unrelated to the matter."

IT personnel, a HIPAA warning on the building and company executives explained that the records were privileged; however the agents "threatened to 'rip' the servers containing the medical data out of the building if IT personnel would not voluntarily hand them over," Courthouse News Service quotes the complaint. It alleges that the agents made no effort to confine their search to information specified in the warrant, and claims the IRS still has the records.

Plaintiff's attorney Robert E. Barnes told the news service that he's still investigating, but had to file the lawsuit now due to statute of limitations issues. He said he will have more information "in a few months."

The number of records involved--60 million--would include roughly one of every 25 American adults, according to the complaint, including records on psychological counseling, gynecological counseling, sexual/drug treatment and other medical treatment.

The lawsuit seeks $25,000 "per violation per individual" in compensatory damages, as well as punitive damages. It also seeks the return of the data, an injunction to prevent the IRS from sharing the data and the purging of all the information from government databases.

Large-scale healthcare data breaches were on the decline in 2012 as organizations doubled down on privacy and security safeguards, according to IT security audit firm Redspin. Yet stories of lost or stolen laptops remain common, as well as other ways that health information leaks out--such as through unencrypted wireless networks. Google recently agreed to pay a $7 million fine for scooping up personal information while collecting data for its Street View project.

New HIPAA regulations set to go into effect March 26 broaden requirements to also cover a provider's business associates.

Leon Rodriguez, director of the U.S. Department of Health & Human Services' Office for Civil Rights, recently said that consumers have to be able to trust users of electronic health records, and warned that his office will be moving to "more impactful" enforcement of HIPAA.

Secure storage of data is equally important. Kaiser Permanente of California learned about that recently when it found that one of its contractors, Sure File Filing Systems--a small business run by husband-and-wife team Stephan and Liza Dean--stored almost 300,000 confidential records in their home.

To learn more:
- find the article