IRS Sued for Medical Records Breach

Internal Revenue ServiceAn unnamed HIPAA-covered entity in California is suing the Internal Revenue Service, alleging improper access of 60 million medical records by 15 IRS agents.  The covered entity, referred to in court documents as John Doe Company, acknowledges that the agents had a search warrant for the financial data of a former employee of the company, but claims in its complaint that the warrant “did not authorize any seizure of any health care or medical record of any persons, least of all third parties completely unrelated to the matter” and therefore the seizure of medical records from the company on March 11, 2011 was inappropriate and unlawful.

The class action lawsuit states that more than 60 million medical records of over 10 million Americans (including at least one million Californians) containing protected health information (PHI) including “psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns” were searched and seized despite warnings by company executives and IT personnel at the scene, as well as a HIPAA facility warning on the building, that the records were privileged and protected under the HIPAA privacy rule.  The complaint states that the IRS agents ignored the warnings and “their own published and public-reliant rules and governing ethical requirements,” as well as the limitations of the warrant they’d been issued.  It further claims that the IRS has not been helpful or forthcoming in the investigation, and that the agents “continued to keep the records for the prying eyes of IRS peeping toms, and keep the records to this very day.”

John Doe Company argues in the suit that the Fourth Amendment (which guards against unreasonable searches and seizures) was violated because “none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search” and no search warrant or subpoena authorized the records’ seizure.  The class action lawsuit seeks punitive damages for these constitutional violations, in addition to $25,000 “per violation per individual” in compensatory damages, a potential minimum of $250 billion.  It further seeks a declaratory judgement to protect the proprietary and privileged data in the seized medical records, an injunction to prevent the IRS from sharing the data with other entities or organizations, and an order to require the return of all the seized records and “the purging of government databases of all such records, in whatever form kept or accessible.”

The use and disclosure of PHI stored in medical billing software such as Medisoft, or electronic medical records software such as Lytec MD, is regulated under the HIPAA privacy rule.  For more information, please contact Microwize Technology.