Patients filed class-action complaints against the Mayo Clinic this past week. They are accusing the system of violating the Minnesota Health Records Act.
Mayo Clinic said in a news release in October that a former employee had inappropriately accessed the health records of more than 1,600 patients. Now, multiple patients are seeking to have a class-action case declared against the clinic.
According to a complaint filed last week in Olmsted County District Court, Mayo Clinic told plaintiff Olga Ryabchuk that the potentially accessible data included her name, demographic information, birth date, medical record number and clinical notes.
Mayo Clinic also said that images of “private parts” of Ryabchuk’s body had been accessed, the suit said.
“This is particularly troublesome because it’s pretty intimate photographs of people,” said Ryabchuk’s lawyer, Marshall Tanick, in an interview with Healthcare IT News. Situations like these, said Tanick, “cry out for better controls [over] who has access to this data.”
An additional complaint filed in Olmsted County District Court also seeks class-action status. Plaintiffs in that suit, Amanda Bloxton-Kippola and Chelsea Turner, said the breach included “nude photographs taken by Mayo Clinic in connection with the health care Plaintiffs received from Mayo Clinic,” according to reporting from KROC.
Mayo Clinic representatives said that the system does not comment on pending litigation.
WHY IT MATTERS
Ryabchuk is alleging a violation of the Minnesota Health Records Act, which forbids accessing a record locator or patient information service without authorization.
She is also accusing the Mayo Clinic, and the resident in question, of a common law invasion of privacy and negligent infliction of emotional distress.
Ryabchuk “was extremely distraught to learn of this unlawful access of her health records,” read the complaint. “She was told that Mayo Clinic did a full investigation and interviewed the former employee and came to the decision that he was in [Ryabchuk’s] medical chart with no business reason.”
In addition to asking for a class certification, Ryabchuk’s suit seeks damages in excess of $50,000 for her and other class members.
Tanick, a Minneapolis-based lawyer, told Healthcare IT News that he’s seen an increase in cases involving unauthorized record access.
“Some of them are external hacking, but many of them are internal employees snooping into medical records,” he said.
“I think it’s because these records are relatively easily accessible to internal people if there’s not appropriate control on access,” he added.
THE LARGER TREND
As Tanick said, hospitals have faced increasing threats to patient data from external sources, such as hackers.
But snooping employees have presented problems too. In January 2015, nearly 850 patients were notified after an EHR audit that a pharmacist employee had been inappropriately accessing their medical data.
Sometimes it’s not the employees themselves doing the snooping, but those who take advantage of security gaps. In 2018, West Virginia-based Coplin Health Systems notified 43,000 patients of a potential data breach due to the theft of a laptop from an employee’s car.
Though the laptop was password-protected, the data on it was unencrypted.
ON THE RECORD
“I think this is a significant case because of the breadth of the access,” said Tanick. “And of course, Mayo is a leading facility, so I think how this plays out could affect other cases.”