[BreachExchange] Mayo Clinic faces lawsuit in breach of patients' health records

[Destry Winant]

https://www.startribune.com/mayo-clinic-sued-after-former-employee-improperly-accessed-patient-health-records/572995802/

Patients whose medical records were improperly accessed by a former
Mayo Clinic employee are attempting to mount a class-action lawsuit
against the health care provider for failing to protect their
sensitive personal data.

The lead plaintiff, Olga Ryabchuk, was one of more than 1,600
patients, including more than 1,000 from Minnesota, who had their
medical records examined by a former Mayo health care worker who had
no right to look at them, according to a complaint filed Friday in
Olmsted County District Court.

Ryabchuk claims violation of the Minnesota Health Records Act, which
forbids unauthorized access to medical records. She also sued for
invasion of privacy and emotional distress. In addition to personal
information, demographic information and clinical notes, the Mayo
employee allegedly looked at "images" of private parts of Ryabchuk's
body, according to the complaint. In a letter to Ryabchuk, Mayo said
it became aware of the breach of her records on Aug. 5.

The filing seeks a class designation for all patients whose records
got snooped. The suit asks to extend back two years in order to
capture others whose information was compromised. It seeks
compensatory damages in excess of $50,000 and the right to pursue
punitive damages.

"Litigation has been commenced regarding this matter," a Mayo
spokeswoman told the Star Tribune in an e-mail. "Mayo does not comment
on pending litigation."

When Mayo announced the data breach in October, the health care
facility said the employee accessed no Social Security numbers or
bank-account numbers. But he or she did look at patient names, dates
of birth, demographic information, clinical notes and, in some cases,
digital images. Mayo said it notified the FBI of the breach.

The medical center has never publicly named the former employee who
was involved. Marshall Tanick, attorney for the plaintiffs, said he
will seek the person's name as well as the names of other victims.

Mayo faced a similar data breach at its Arizona campus in 2010,
according to a report in Bloomberg Law. That situation involved 1,700
patients and it, too, ended in the dismissal of an employee.

In July, Hennepin Healthcare fired five employees for accessing
without authorization the hospital records of George Floyd, a Black
man whose killing by a white Minneapolis police officer provoked
worldwide protests calling attention to racial injustice.

Tanick said that in his law practice he has seen an increase in
medical-records breaches at large and small hospitals alike.

"Because of our digital society," he said, people have easier access
to information.

"There is an increase in voyeurism across society," Tanick added.
Technology has driven an uptick in "people being nosy and looking into
people's private affairs."