
IRS faces class action lawsuit over theft of 60 million medical records - harold
http://www.healthcareitnews.com/news/irs-face-lawsuit-over-theft-60-million-patient-health-records
======
mikeyouse
I get it, we're all supposed to hate the IRS, but this is a really terrible
article about some scumbag lawyers trying to get a quick settlement. This is
just an new play on medical malpractice trolling.. And if there's anyone I
trust to give me the scoop on the IRS, it's Wesley Snipes' tax lawyer!

From the filing:

    
    
        A lurid but vague class action accuses corrupt and abusive IRS agents of
        stealing 10 million people's medical records without a warrant - including
        "intimate medical records of every state judge in California."
    

Sounds juicy..

    
    
        After being put on notice of the illicit seizure, the IRS agents refused
        to return the records, continued to keep the records for the prying eyes of
        IRS peeping toms, and keep the records to this very day.
    

Peeping Toms? Getting pretty serious..

    
    
        Adding insult to injury, after unlawfully seizing the records and searching
        their intimate parts, defendants decided to use John Doe Company's media
        system to watch basketball, ordering pizza and Coca-Cola, to take in part of
        the NCAA tournament, illustrating their complete disregard of the court's
        order and the Plaintiffs' Fourth Amendment rights. 
    

The IRS agents had the audacity to order lunch and watch TV? How salacious..
So how did they end up stealing so many confidential records?

    
    
        "Despite knowing that these medical records were not within the scope of
        the warrant, defendants threatened to 'rip' the servers containing the medical
        data out of the building if IT personnel would not voluntarily hand them over,"
        according to the lawsuit. "Moreover, even though defendants knew that the
        records they were seizing were not included within the scope of the search warrant,
        the defendants nonetheless searched and seized the records without making any
        attempt to segregate the files from those that could possibly be related to 
        the search warrant."
    

So they executed a search warrant, seized a server related to the financial
crime they were investigating, and that server happened to have some
confidential medical records too? And this is worth $250 billion in
compensatory and punitive damages?

~~~
downandout
You seek to minimize the illegal conduct of the agents involved in this case,
but this is actually very serious. I certainly don't want the IRS having
access to my medical records, and in fact HIPAA was designed for exactly this
type of thing. What if the IRS decides to keep this information and use it to
spawn other investigations? Who is going to stop them once they have the
records? If the law allows for $25,000 per person, and they were informed that
they were violating the law and did this anyway, then so be it.

They likely won't wind up with anywhere near $250 billion, but someone needs
to keep these IRS animals in check. I'd like to see a multi-million dollar
judgment, paid personally by the IRS agents involved over the next several
decades, while they are forced to work construction. Then I'd like to see
pictures of them working in the hot sun to pay this debt published in the IRS
employee newsletter as a warning to other power-tripping, pizza-eating, Coke-
swilling agents that practice their profession with wanton disregard for the
very laws they are supposed to be enforcing. This kind of thing is not OK.

~~~
mikeyouse

        You seek to minimize the illegal conduct of the agents involved in
        this case, but this is actually very serious.
    

You do realize that this is a civil case right?

I'm not even convinced what they did was illegal. Unless you know otherwise,
the story reads that the IRS had a subpoena for some electronic files on a
John Doe suspected of fraud. They took a 'server' which was likely a file
server that contained said files. It appears that the file server also had
patient data. How devious of them.

What were they supposed to do? I'm sure John Doe didn't type up a 'master-
fraud-plan.doc' and leave it on the desktop.

    
    
        And in fact HIPAA was designed for exactly this type of thing.
    

No it wasn't.

    
    
        What if the IRS decides to keep this information and use it
        to spawn other investigations? 
    

The cases would be thrown out almost immediately?

    
    
        Who is going to stop them once they have the records?
    

Somewhat ironically, the 4th amendment?

    
    
        If the law allows for $25,000 per person, and they were informed that
        they were violating the law and did this anyway, then so be it.
    

The law makes no such allowance. Again, this is a civil case. That is how much
damage Wesley Snipes' tax attorney thinks was done to the 10 million people
that had never heard of this before.

Speaking of the 10 million people, any provider which loses patient
information for more than 500 people must file a notice of breach, which is
then public information. Looking at 2011 breach notifications, the largest
California breach was only 1.9 million people, and was related to IBM losing
some drives.[1] It would be outstanding if this dirtbag convinced some judge
that a breach actually occurred, which would be enough evidence for the HHS to
levy a massive fine against them for failing to report.

[1] - <http://www.dmhc.ca.gov/library/reports/news/pr031411.pdf>

~~~
downandout
_You do realize that this is a civil case right?_

Yes. They committed an illegal act; now they are being sued over it.

 _[Hipaa was't designed for this]_

HIPAA was designed to protect medical records from falling into unauthorized
hands and/or being misused or mishandled. So yes, this is a HIPAA violation,
probably of unprecedented size and scope.

 _[If the government used this information for other cases] The cases would be
thrown out almost immediately_

The government routinely intercepts information that it can't use in court
because of the way it was obtained. They use it as a starting point. If
someone has told their psychiatrist that they were embezzling funds, for
example, and this was in their records, they could use that information to
know where to begin looking and prosecute a crime that they would not have
otherwise known about.

~~~
mikeyouse

        Yes. They committed an illegal act; now they are being sued over it.
    

They're being sued in civil court because this would be laughed out of
criminal court.

    
    
        So yes, this is a HIPAA violation, probably of unprecedented size and scope.
    

You don't have any idea whether or not this is a HIPAA violation, so stop
pretending like you do.

1\. The law makes clear exceptions for information gathered during the course
of an investigation.

2\. Health information is supposed to be encrypted in transit or at rest, so
if the company was in compliance, there's a distinct possibility that the data
isn't even accessible.

    
    
        The government routinely intercepts information that it can't use
        in court because of the way it was obtained. They use it as a starting
        point. If someone has told their psychiatrist that they were embezzling
        funds, for example, and this was in their records, they could use that
        information to know where to begin looking and prosecute a crime that
        they would not have otherwise known about.
    

Citation?

I'll leave it to the courts to determine the outcome, but I predict this is
the last we hear of this.

~~~
downandout
If they knowingly took HIPAA-protected records, and the taking of those
records was outside the scope of the search warrant, they violated HIPAA. You
can spew your pro-government nonsense all you want, but that simple fact
cannot be changed.

------
jgeorge
I don't see why this is such a big deal. Under the new healthcare laws, the
IRS is going to be managing a vast majority of American healthcare records
anyway. I think these agents were just being proactive!

Remember it's "theft" until you get someone to pass a law requiring people to
voluntarily give you what you want.

~~~
epoxyhockey
_the IRS is going to be managing a vast majority of American healthcare
records anyway_

For those interested, I found more info in the following links. Though, it
still does not appear that the IRS would be privy to the exact details of
medical care.

<http://www.cnbc.com/id/100711119>

<http://www.irs.gov/PUP/newsroom/REG-148500-12%20FR.pdf>

 _it's "theft" until you get someone to pass a law requiring people to
voluntarily give you what you want_

While this is very true, it is rarely applied retroactively.

------
tptacek
Am I reading this article correctly, that the IRS didn't sieze medical records
but rather a collection of records that included a small number of financial
records they needed and then a large number of medical records they didn't
care about?

~~~
harold
What makes you think they didn't care about the medical records? Because they
weren't listed in the search warrant?

I wonder who gained access to this data after it was seized?

What political party hack would not want access to "psychological counseling,
gynecological counseling, sexual/drug treatment and other medical treatment
data" of current or future political figures?

~~~
tptacek
What makes you think the IRS does care about medical records?

~~~
chiph
Because HSA and FSA contributions & expenses are reportable.

~~~
SilasX
Right: If my tax-deductible Health Savings Account money is actually going to
get me "stress-related therapy" in the form of a hand job, the IRS wants to
know.

And probably more than they usually want to know about these things.

------
arbuge
The IRS is an unwieldy animal (I hesitate to say "brute"; YMMV) that will only
get unwieldier as the tax code gets more and more bloated. The average IRS
agent is, let's face it, not a genius, and even a genius would probably get
lost in that code nowadays. I got married last year and was astounded that the
joint tax return with my wife this year ran to 50 pages and cost me $1,500 in
accounting fees to prepare.

I dream of the day when a simpler system like a national sales tax could
replace the whole thing.

~~~
cobrausn
Sales tax penalizes those living hand to mouth more than is probably
advisable. I don't mind progressive taxation, but I would love to see them
stop trying to do social engineering with the tax code and just charge a fixed
rate based on income, period.

~~~
aaronblohowiak
sales tax is usually coupled with a reverse income tax (cash grant to the poor
that decreases to 0 as your income increases) to offset exactly the problem
you mention.

~~~
sixothree
Usually? Hmm. The proposed law in Louisiana did not include such.

------
bjhoops1
Hell, for $25,000 I'd let anyone take a look at my medical records!

On a serious note, it's been a bad week for the IRS, but that agency is
seriously struggling right now with a slashed budget and increased
responsibilities. As David Cay Johnston, puts it "The IRS is drowning."
[http://www.cjr.org/united_states_project/the_other_irs_scand...](http://www.cjr.org/united_states_project/the_other_irs_scandal.php?page=all)

~~~
adventured
I wasn't aware that the IRS has in fact had its budget slashed.

The only thing I've seen is that they're expected to expand to take on
Obamacare, and may not have the funding to do so.

Do you have the specific details on their budget being cut? Hasn't Obama
expanded their budget in the last four years?

~~~
bjhoops1
I am struggling to find budget statistics that go back to earlier than 2010,
but since that time the budget has been flat at $11.8 billion (1.5 billion
less than Obama requested), and thanks to the sequester they are experiencing
a $600 million cut this year. At the same time, they have been required to
take on new duties and are struggling to maintain the employment they need.
Read more: [http://www.reuters.com/article/2013/04/25/us-usa-tax-irs-
hea...](http://www.reuters.com/article/2013/04/25/us-usa-tax-irs-hearing-
idUSBRE93O1FO20130425) and <http://www.irs.gov/pub/newsroom/budget-in-brief-
fy2013.pdf>

What's absurd is that estimates of ROI on IRS funding range from 7:1 to 10:1.
So it's really not about the budget. I'll leave it as an exercise for the
reader to speculate on what's really behind the underfunding of the IRS.

------
Shivetya
As with many large and powerful organizations, it is not the top that is
always the problem but the mid level players who wield their power either
incorrectly or criminally.

------
300bps
IRS agents are given tremendous power. When they abuse it, they should face
harsher penalties than those not so empowered.

Last night I heard on NPR the story of a New Zealand expatriate that did not
file US taxes for several years as is required by every US citizen no matter
where they live or how long they've lived outside the US. He voluntarily
notified the IRS of his oversight and paid the $20,000 in back taxes. The IRS
then told him his penalty exceeded $140,000.

~~~
kbenson
I imagine if he lived abroad and still managed to owe $20k by his reckoning,
his income and/or assets are non-trivial, and the IRS may have some cause to
think he owes more (that's not to say they are correct).

Unfortunately the US tax system is a very adversarial one.

~~~
jlarocco
Considering he had $0 taken out for taxes each pay check, and it was over
several years, it's really not much.

My rough estimate is he could have earned $60k a year for 3 years and owe
approximately that much.

~~~
dmm
The first ~$95k of foreign income is excluded from US taxation.

~~~
chiph
So he'd probably have less than 50k in income liable to taxation, and that
puts him in the 15% bracket, so for 3 years his tax would be about 25k. How
they got from there to 140k is an interesting question -- that's a hell of
penalty & interest charge.

------
ericcumbee
This is not scary at all in the context of the IRS just admitted to going
after groups that are political opponents of the current administration. Nope
nothing to see here.

~~~
comrade_ogilvy
Stop right there and read your own post carefully.

If those groups are indeed "political opponents" of the current
administration, then the IRS has good reason to believe those groups are
"political". Political groups have a different tax status than a group that is
a church or other non-profit fraternal organizations. That is the law, and the
IRS is correct to scrutinize them, in order to properly ascertain what
category they fall under.

Slam dunk for the IRS, right there.

~~~
rgbrenner
All 75 (ie: 100%) of the groups that the IRS selected for an audit based on
their name were granted tax-exempt status by the IRS. So no, that is not a
good criteria to base an audit on. And I find it appalling that you believe
that it is acceptable to treat differently anyone the current administration
thinks is their political opponent... and that you think it's a "slam dunk"
that the IRS wasted resources auditing 75 groups, and then granted every
single one of their applications.

------
DanielBMarkham
A tragic story, but my money is on the IRS in this one. They do not have to
have an ongoing criminal or civil case. The Congress back in 2008 saw fit to
that.

Remember the law where you had to start creating 1099s for every vendor you
ran across? People yelled at that got taken care of, but there's a lot more in
that law yet to come. [inset long discussion about the exact nature of that
requirement]

I'd be interested in knowing if it is still possible to keep your health
records private. I used to self-pay and this was not a problem. But now? Where
I have to be part of some aggregate that then assesses health risks? I'm not
sure how it works. (And note the use of the word "private", not "anonymous")

~~~
n3rdy
> A tragic story, but my money is on the IRS in this one.

Or at least 20% of it is.

------
pasbesoin
For starters, I'd like to know how they handled those records. Was it in a
HIPAA-compliant fashion?

Regardless of use or potential misuse of such data, us "mere mortals" can face
serious challenges just for improperly maintaining it.

Is all this stuff sitting on some agents' laptops, somewhere? Given the
security requirements for the IRS's own inherent data (or, I would hope they
have such requirements), one might hope that the records are reasonably
secure. But I can't help being somewhat skeptical on this point. _And_... such
IRS requirements may _not_ be HIPAA compliant.

My point is, amongst everything else, if the government is going to run around
vacuuming up data wholesale, we can also look at whether they are even
prepared to... "properly", and consistent with the government's own
requirements, manage the data that they hoover.

------
ccdan
How about the trillions they stole from ordinary citizens?

------
johnward
Why does the IRS have medical records?

~~~
uptown
Did you even try reading the article?

~~~
johnward
No. Why would I do that?

