Mayo Clinic

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Mayo Clinic, a renowned healthcare organization, has faced multiple data breaches and subsequent legal challenges in recent years, highlighting the complexities and sensitivities involved in handling patient data.

Technical Issue Leading to Data Exposure

In January 2019, Mayo Clinic identified a technical issue with its mobile patient application that led to the potential exposure of patient information. This issue, which persisted between May 1, 2015, and February 1, 2019, affected fewer than 2,000 patients. It allowed limited information from one date of service about one patient to be inadvertently viewed by another patient using the app under specific conditions. The exposed information could include the patient’s name, age, clinic number, and clinical care details, but there was no evidence that financial information or social security numbers were accessed or misused. Mayo Clinic addressed the root cause and implemented additional safeguards to prevent future incidents[1].

Insider Privacy Breach and Legal Actions

In October 2020, Mayo Clinic reported an insider data breach where a former employee unauthorizedly accessed the medical records of 1,600 patients. This breach involved sensitive information, including patient names, demographic details, dates of birth, medical record numbers, medical images, and clinical notes. Notably, some of the accessed medical images were nude photographs taken in connection with cancer treatments. This breach led to multiple class-action lawsuits alleging violations of the Minnesota Health Records Act (MHRA), which provides stricter privacy protections than federal regulations. The lawsuits sought monetary damages and emphasized the emotional distress caused to the patients[2][3][4][5].

Responses and Settlements

Mayo Clinic has taken steps to address these breaches, including notifying affected patients and enhancing security measures. The organization settled some of the lawsuits, although the terms of these settlements were not disclosed. Additionally, criminal charges were filed against the former employee responsible for the 2020 breach[4][6][7][10][12].

Broader Implications

These incidents underscore the challenges healthcare organizations face in protecting patient data against both technical vulnerabilities and insider threats. They also highlight the legal and emotional ramifications of data breaches for patients. Mayo Clinic’s experiences serve as a reminder of the importance of robust data security practices and the need for continuous vigilance and improvement in the digital age[2][3][8].

Citations:

  1. https://www.mayoclinic.org/data-breach
  2. https://www.hipaajournal.com/mayo-clinic-faces-multiple-lawsuits-over-insider-privacy-breach/
  3. https://www.corsicatech.com/blog/mayo-clinic-sued-over-breach-of-patient-health-records/
  4. https://www.beckershospitalreview.com/cybersecurity/mayo-clinic-settles-over-data-breach.html
  5. https://www.startribune.com/mayo-clinic-sued-after-former-employee-improperly-accessed-patient-health-records/572995802/
  6. https://www.healthcareitnews.com/news/mayo-clinic-sued-over-breach-patient-health-records
  7. https://krocnews.com/criminal-case-linked-to-mayo-clinic-data-breach-has-been-filed/
  8. https://www.meshbesher.com/news-and-updates/mayo-clinic-privacy-breach/
  9. https://www.kttc.com/2023/12/23/doctor-sues-mayo-clinic-efforts-silence-him-mayo-clinic-motions-dismiss-claims/
  10. https://krocnews.com/mayo-clinic-resolves-another-data-breach-lawsuit/
  11. https://www.postbulletin.com/news/local/mayo-clinic-asks-court-to-dismiss-part-of-dr-michael-joyners-lawsuit
  12. https://www.databreaches.net/mn-mayo-clinic-settles-another-lawsuit-stemming-from-insider-wrongdoing/
  13. https://www.databreachtoday.com/mayo-fires-employees-in-2-incidents-a-2974
  14. https://www.natlawreview.com/article/bad-medicine-hospital-hit-multiple-data-breach-class-actions-unauthorized-access
Breach Submission Date Nov 03, 2023
Converted Entity Name Mayo Clinic
Converted Entity Type Healthcare Provider
State MN
Individuals Affected 1,152
Breach Type Unauthorized Access/Disclosure

Breach Information Location Network Server

Business Associate Present Yes