As every investigator knows, palm trees aren’t the only shady things in Florida.

I was bored a few weeks ago, and started doing some research on a company that had sent a blast email promising “medical records” and “prescription info.” Given that obtaining these records is completely illegal and this person included a price list in the email, I was a tad bit surprised.

But after digging into this a bit more, maybe I shouldn’t have been so stunned.

A colleague in the investigations industry had forwarded me an email a few years ago. It was a blast email from a Florida business — for those of you not in the know, Florida is the most popular state of residence among shady investigators — and it too had provided a price list running from $20 to $600 for things like bank records, food stamp records, credit card activity, hotel room activity, and college and high school transcripts. Knowing full well that nearly all this information would be obtained by shady/illegal means, I was intrigued.

At the very least, there was likely a whole lot of pretexting going on—of the not-so-savory kind.

What was most surprising was the offer to provide “medical records” (for $495) and “prescription info” (for $395). While the other offerings were certainly shady and more than likely obtained through illegal means, obtaining medical records and prescription info on someone without their permission is 100% illegal.

Seriously, just think about that for a minute. Imagine if anyone could purchase your medical records for around $500.

Let that soak in for a second.

Many people seem ambivalent about investigators’ obtaining bank records. But medical records?

Anyhow, this blast email was like hundreds of other blast emails I get from shady data brokers peddling information.

So I ignored it.

That was until a few weeks ago, when I stumbled across this old email and decided to dig into it. You know, the world is literally on fire and we are in a global pandemic, so I have a bit of extra time on my hands.

I clicked on the company website and not surprisingly found that it is no longer operational.

This made me chuckle, because my general approach is to not worry too much about these sorts of fly-by-night firms, as they seem to disappear just as quickly as they appear. I am pretty sure that Starting & Running a Business for Dummies tells you that if you want to have a long-lasting business model, selling shady, illegal stuff is not the way to go.

But that didn’t satisfy my interest, so I kept digging.

Since its registration, the company’s domain history has been protected by a proxy registration service to protect the identity of the true owner, so that proved a dead end.

I went back and looked through the domain history on archive.org. Of course, as expected, the company claimed to be in full compliance with the law, including HIPAA (which protects medical records) and the Gramm-Leach-Bliley Act (which protects banking records). I haven’t found one firm that peddles bank records and other shady records that says it isn’t compliant, so that claim means virtually nothing.

(The website also claimed to be in compliance with Sarbanes-Oxley, which is a law enacted in 2002 that predominantly concerns reporting requirements for public companies. Other than the fancy-sounding name that has a nice ring to it for marketing purposes, this has absolutely nothing to do with data protection, but I digress.)

There were also a few people listed on the website, two of whom had common-sounding names. They were common enough and the bios lacked enough detail to ensure that these people weren’t going to be easy to find. 

And they weren’t.

The third name was uncommon enough that I ran it through a couple of investigative databases, only to find that there was nobody in the entire country with that name.

The owner of the company, Kristin (not her real name), did have a LinkedIn profile, with nine followers, a cropped photo, and some limited details, including the name of the university she attended. Not much of a lead there either.

So I turned to Florida corporate records, where I found some records for a company with the same name, but a woman with a totally different name, whom we will call Laura.

Interestingly, Laura, who was the only officer listed on corporate filings, happened to live in the same town in which Kristin reportedly did and reported an address in the same college town, and—despite the cropped, overly exposed photo of Kristin on LinkedIn—I found some photos of Laura that looked strikingly similar.

The bottom line is that I am nearly certain that Kristin was a fake name being used on this website to sell all kinds of personal records. I mean, if you are selling shady records, it’s probably not a good idea to use your real name.

So, the punch line here is that for a business owner who has two kids about to go to college, a license, and a reasonably good reputation to uphold (or just an ethical and moral bone in your body) it’s probably not a good idea to take any chances by getting information from some data broker who claims to get information that by any normal stretch of the imagination can only be obtained by shady or illegal tactics.

I don’t care how compliant they are, who referred them, or how desperate my client is to get information.

It’s just not smart business practice.

Unless, of course, you want to rely on Kristin (aka Laura), who has now shut down her business and is living in a million-dollar beachfront home sipping on piña coladas.

Enjoyed What You Read?

Sign up for our newsletter and stay up to date with what Hal Humphreys, from Pursuit Magazine, believes to be one of the absolute best blogs in the investigative industry!

Here is a list of some common things that private investigators are not allowed to get without signed authorization or other official court order:

Medical Records

HIPAA, which was enacted in 1996, protects your medical history and medical records from prying eyes. There are federal and state laws against obtaining medical records without authorization.

Credit Reports

Individual credit reports are protected by the Fair Credit Report Act (“FCRA”), Driver’s Privacy Protection Act (“DPPA”) and Gramm-Leach-Bliley Act (“GLBA”). Private investigators can obtain credit reports, but a signed authorization or waiver from the subject of the inquiry must be obtained to get a credit report.

Bank Records

The Right to Financial Privacy Act prohibits financial institutions from disclosing bank records or account information about individual customers to governmental agencies without 1) the customer’s consent, 2) a court order, 3) a subpoena, 4) a search warrant, or 5) other formal demand, with limited exceptions.

Telephone Records / Cell Phone Records

In January 2007, President Bush signed the Telephone Records and Privacy Protection Act of 2006, which makes it a felony to fraudulently acquire telephone records. If you are the owner of the phone, it’s a different story, but you cannot access someone else’s phone records without permission.

Travel Records

Obtaining travel records for someone other than yourself can be done through the U.S. Department of State, provided that you have a notarized consent, court order or other legitimate document, but there is no way to publicly or legally obtain these records without permission.

Birth Certificates

Each state government has its own set of rules about obtaining birth certificates, but in general, birth certificates can only be obtained by the person named on the certificate, immediate family members or next of kin. In many states, records more than 100 years old are part of the public domain.

Enjoyed What You Read?

Sign up for our newsletter and stay up to date with what Hal Humphreys, from Pursuit Magazine, believes to be one of the absolute best blogs in the investigative industry!