Rochester, MN (WorkersCompensation.com) – Earlier this month, the Department of Homeland Security along with CISA, FBI, and the U.S. Department of Health and Human Services issued an advisory stating that their intelligence showed that healthcare systems were at increased risk of data breaches due to ransomware cyberattacks. According to a recent report from the Star Tribune, however, even world-class facilities with the best protections in place aren’t necessarily immune when it comes to data breaches that come from within.
According to the HHS Breach portal, on October 5th, Mayo clinic in Minnesota filed a data breach report citing unauthorized access as the cause. The breach involved 1,614 records. As a result, a lawsuit was filed November 6th in Olmsted County District Court for more than $50,000 in damages with a request for allowance of pursuing punitive damages. The case is also seeking restitution for violation of privacy and emotional distress and requests a two-year review.
Lead plaintiff for the 1600 claimants Olga Ryabchuk, alleges that the clinic violated the Minnesota Health Records Act when a former employee improperly reviewed the medical records. According to the Star Tribune report of the legal case, Ryabchuk states that the former clinic employee reviewed private images of her body, among other information.
Mayo clinic became aware of the breach two months before it was reported, on August 5th. When the data breach was originally announced in October, the clinic stated that the employee had been terminated upon discovery of the breach, and that the employee had viewed medical images, demographic information such as name and date of birth, but had not accessed social security numbers or banking information.
In recent statement to the Star Tribune, a Mayo spokesperson declined to comment on the case.
In a 2019 study of MRI scans from volunteers that participated in the Mayo Clinic Study of Aging, researchers determined that individuals could still be identified through MRI scans even when identifying information had been thoroughly removed from the record. The study published last year in the New England Journal of Medicine reviewed the images of 84 volunteers aged 34 to 89. Face Recognition Software determined the correct medical record from the MRI results of the unidentified patient in 83 percent of the cases.
In a day and age of digital information, it just goes to show even the best efforts to maintain privacy are not necessarily foolproof.