Mayo Clinic is confronted with multiple class-action lawsuits because of an insider data breach in October 2020. Mayo Clinic learned an ex-worker obtained access to the health data of 1,600 patients with no authorization and viewed details that include patient names, demographic data, dates of birth, clinical notes, medical record numbers, and medical images.
As per the Health Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities need to employ safety measures to secure the confidentiality, integrity, and privacy of protected health information (PHI) and controls data disclosures and uses if patient permission is not acquired.
Healthcare staff are granted access to PHI while doing their work tasks, however, in this instance, the former staff didn’t have any legit work reason for perusing the records. The unauthorized access breaches the HIPAA Rules; nonetheless, there is no private cause of action in HIPAA, thus impacted persons of such a breach are unable to take legal action for any HIPAA breach that leads to the compromise of their medical records.
Two lawsuits were recently submitted in Minnesota state courts claiming violations of the Minnesota Health Records Act (MHRA), which announced more stringent policies that cover healthcare data privacy in Minnesota. MHRA is applicable to all Minnesota-licensed medical professionals and the legal guidelines implement a private cause of action, and so patients whose providers defy MHRA can’t be sued.
The lawsuit states that Mayo Clinic didn’t have systems or processes that make certain plaintiffs’ and similarly situated individuals’ medical data are secured and not vulnerable to unauthorized access, and that the ex-worker accessed the plaintiffs’ health information without getting their authorization first.
With MHRA, healthcare companies should acquire a signed and dated permission form from a patient or the authorized rep of the patient allowing the release of their medical data, except if there is a particular authorization in law, or whenever there’s a representative from a healthcare provider possessing a signed and dated authorization form from the patient involved permitting the release of their health information.
The lawsuit likewise brings common law tort allegations for the vicarious liability, violation of privacy, and negligent infliction of emotional hurt. A serious contributory component to the emotional stress was that certain medical photos were viewed such as naked photos of patients used with their cancer therapies. The plaintiffs want monetary compensation and other relief regarded as proper by the legal courts.