A HIPAA-covered entity of the Southern District of California announced today that it is suing 15 Internal Revenue Service (IRS) agents for “an unlawful search and seizure conducted on March 11, 2011.” Though the surrounding details of the health data breach and pending class action lawsuit are minimal, Courthousenews.com reports that IRS agents have been accused of improperly accessing and taking 10 million medical records, such as the personal health records of all California state judges.
The covered entity, called John Doe Company, states that the IRS agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians. John Doe Company argues in its suit that because, in part, the agents had no reason to access the records in the records in the first place and abused their power in stealing the medical records, the 4th amendment was violated.
No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property.
The investigation is ongoing and the legal representatives are sifting through whose data has been accessed and what type of information was sold. For example, according to the report, psychological counseling, gynecological counseling, sexual or drug treatment and other records have already been found to be part of the case. The class action suit claims the IRS hasn’t been helpful in the process and John Doe Company is looking for $25,000 in compensatory damages “per violation per individual” as well as punitive damages for constitutional violations.
Considering the size, amount of money and entities involved, this is a huge class action suit and it will be interesting to see to what degree the Department of Health and Human Services gets involved. How do HIPAA and HITECH apply here, given the recent changes? This case is worth watching in coming months.