Update on IRS seizure of server with 60 million records of 10 million patients
Erin McCann has a follow-up to a concerning report I noted here in March that involves the IRS’s seizure of 60 million records containing PHI of 10 million people from an unnamed company. McCann reports that the company has since been identified as Three Rivers Provider Network.
As previously reported, the incident related to an IRS investigation of an employee. It turns out the employee is the company’s founder, Blaine Pollock, who was subsequently indicted.
However, in July 2013, U.S. Attorney Laura E. Duffy and David D. Leshner asked the court for authorization to access the server provided a “filter” attorney view its contents to determine whether the data were within the scope of the warrant, which was ultimately granted.
Yet, according to Pollock’s attorney, Robert E. Barnes, these records were taken in violation of the warrant.
“The lawlessness of the government agents in this case” wrote Barnes in a July 22 opposition statement to the government’s request to view the computer server, “endangers the privacy of millions of Americans.” These Americans include, among others, California state judges, NBA and Screen Actors Guild employees, Barnes alleged.
Added Barnes, “A computer is conceptually indistinct from a filing cabinet; the right to seize financial records from the filing cabinet does not give the right to seize the entire filing cabinet, given that personal, privileged and confidential non-financial records will likely exist in the filing cabinet. Yet, that is precisely what the government did do, and seeks to do again, here.”
The U.S. government, however, argued on the contrary. “Only evidence on the (server) that is within the scope of the search warrant will be provided to the prosecution team,” wrote Duffy and Leshner in support of a motion to grant access to the computer.
Read more on HealthcareITNews.
So I still have some of my original questions, since there is no entry in HHS’s breach tool for Three Rivers Providers Network. Should this have been reported to HHS as a breach under HIPAA and HITECH? There’s no mention that the data or server were encrypted, although that might come out later. And should the IRS have seized this particular server under the terms of the warrant? The government seems to be successfully arguing “yes,” despite TRPN’s position that the server exceeded the warrant.
And how/where is this server with so much PHI being protected by the IRS?
This continues to be a very troubling situation, in my opinion, and I’m glad HealthcareITNews followed up.
Update: It seems that Modern Healthcare had published an update on this case prior to HITN’s report. Joe Carlson of Modern Healthcare provides links to some of the court documents and notes:
U.S. District Judge Michael M. Anello granted a government request to allow a third-party attorney to review the material and flag any information that might be relevant to Pollock’s tax case. For any information not deemed relevant, the IRS has promised to set it aside in a “sealed evidence bag” and allow the court to take custody of it.
Although Pollock initially appealed Anello’s order to a federal circuit court, that appeal was thrown out last month, allowing the review to proceed. The lawsuit against the IRS has since been put on hold pending the outcome of the criminal action against Pollock.
Read more on Modern Healthcare and my apologies for not finding their reporting sooner.