Insider Privacy Breach Leads to Multiple Class Action Lawsuits Against Mayo Clinic

class action healthcare lawsuit

The Mayo Clinic is being faced with multiple class action lawsuits after a discovery was made that a former employee had accessed the medical records of 1,600 patents without authorization.

The unauthorized personnel accessed sensitive information such as patient names, demographic information, dates of birth, medical record numbers, medical images and clinical notes.

HIPAA (Health Insurance Portability and Accountability Act) has strict rules and guidelines for protecting and safeguarding patient records.

These safeguards are to ensure privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information without a patient consent.

If needed for their work duties, healthcare employees are permitted to access patient health records, but the former employee in this case had no legitimate work reason for accessing the records.

The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being exposed or compromised.

As a result, two lawsuits have been filed in Minnesota state courts alleging violations of the Minnesota Health Records Act (MHRA).

The MHRA has stricter regulations regarding the privacy of healthcare data in Minnesota which apply to all Minnesota-licensed physicians.

The lawsuit alleges Mayo Clinic did not implement systems or procedures to ensure plaintiffs’ and similarly situated individuals’ health records would be protected and not subject to unauthorized access, and that the former employee accessed the plaintiffs’ medical records without first obtaining their consent.

Under MHRA, healthcare providers must obtain a signed and dated consent form from a patient or the patient’s legal representative authorizing the release of their medical records.

This rule is only void if there is a specific authorization in law, or when there is a representation from a provider holding a signed and dated consent form from the patient in question authorizing the release of their medical records.

The lawsuit also brings common law tort claims for the invasion of privacy, negligent infliction of emotional distress, and vicarious liability.

A major contributory factor to the emotional distress was some of the medical images that were accessible included nude photographs of patients taken in connection with their cancer treatments.

The plaintiffs seek monetary damages and other relief deemed appropriate by the courts.

About the author

Katie Brownley

Health & IT Journalist covering Cybersecurity News, Data Breaches and Security Industry News. Email is open for DM and News Tips are Welcome

Subscribe to Our Newsletter