Multiple class-action lawsuits had been filed against Mayo Clinic due to an insider data breach reported in October 2020. Mayo Clinic found out a former staff got access to the medical data of 1,600 patients without a permit to do so and viewed data including patient names, demographic details, birth dates, clinical notes, medical record numbers, and medical images.
Under the Health Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities need to use controls to protect the confidentiality, privacy, and integrity of protected health information (PHI) and restricts health data disclosures and uses whenever patient permission is not obtained.
Healthcare workers are allowed access to PHI during their work duties, but in this incident, the former worker did not have any legitimate work reason for accessing the records. The unauthorized access violates the HIPAA Rules; nevertheless, there is no private cause of action in HIPAA, therefore affected individuals of such a breach can’t take legal action for any HIPAA violation that brings about the exposure of their health records.
Two lawsuits were recently filed in Minnesota state courts for violating the Minnesota Health Records Act (MHRA), which implemented stricter rules protecting the privacy of healthcare data in Minnesota. MHRA applies to all Minnesota-licensed doctors and the laws have a private cause of action, therefore patients whose providers break MHRA cannot be sued.
The lawsuit claims that Mayo Clinic failed to implement systems or procedures that make sure plaintiffs’ and similarly situated persons’ health records would be protected and not prone to unauthorized access, and that the former employee accessed the medical information of the plaintiff without acquiring their authorization first.
As per MHRA, healthcare organizations should get a signed and dated permission form from a patient or the legal representative of the patient allowing the release of their health data, unless there is a specific authorization in law, or if there’s a representation from a provider having a signed and dated authorization form from the patient under consideration permitting the release of their medical information.
The lawsuit additionally brings common law tort claims for the privacy breach, vicarious liability, and negligent infliction of emotional hurt. A significant contributory element to the emotional stress was that a number of medical photos were viewed including nude pictures of patients taken in association with their cancer treatments. The plaintiffs expect monetary damages and other relief considered as suitable by the courts.