March 25, 2023

Volume XIII, Number 84


March 24, 2023

Subscribe to Latest Legal News and Analysis

March 23, 2023

Subscribe to Latest Legal News and Analysis

Bad Medicine: Hospital Hit With Multiple Data Breach Class Actions for Unauthorized Access of Patient Records

Healthcare data breaches are on the rise-recent estimates peg the number of patient records breached in 2019 as exceeding 41 million individuals.  Additionally, approximately 60% of all healthcare data breaches are caused by internal actors—a statistic underscored by consecutive data breach class actions filed against the Mayo Clinic concerning the unauthorized access of patient records.

In October, Mayo Clinic disclosed that that a former employee had inappropriately accessed the health records of more than 1,600 patients.  Information that may have been accessed in the breach reportedly included name, demographic information, date of birth, medical record number, clinical notes and medical images (including, as alleged in the litigation, nude images of patients taken in connection with ongoing cancer treatments).

This month, following disclosure of the breach, Mayo Clinic was hit with two data privacy class action lawsuits in Minnesota state courts.  See Bloxton-Kippola, et al. v. Mayo Clinic, et al., Case No. 55-cv-20-6188 (Minn. Dist. Ct.) and Ryabchuk v. Mayo Clinic, et al., Case No. 55-cv-20-6445 (Minn. Dist. Ct.).  Among other things, the litigations allege that Mayo Clinic failed to “put into place systems or procedures to ensure that Plaintiffs’ and similarly situated individuals’ health records would be protected and would not be subject to unauthorized access.”  The Plaintiffs assert claims against Mayo Clinic under the Minnesota Health Records Act (“MHRA”) and for common law privacy torts.

First, some background for the uninitiated.  The federal health privacy statute, Health Insurance Portability and Accountability Act (“HIPAA”), provides for the disclosure of protected health information (“PHI”) in the absence of consent under a range of circumstances.  This includes, but is not limited to, for treatment, payment and healthcare operations (collectively, “TPO”) as well as for other purposes (research, public health activities, etc.).  Importantly, patients do not have a right to sue their health care provider under HIPAA for failing to follow HIPAA regulations (there is no private right of action).

However, HIPAA sets only minimum standards that must be followed when patient data is concerned.  It does not preempt states from passing more stringent healthcare privacy laws—as Minnesota has done with the MHRA.  The MHRA protects the data contained in medical records of individual patients collected by healthcare providers and applies to all Minnesota-licensed physicians.  Providers that violate the MHRA are subject to recourse from their licensing board.  Unlike HIPAA, patients may also sue providers for violating the MHRA.

Relevant for purposes of the Mayo Clinic litigations, in addition to the requirements under the HIPAA Privacy Rule, the MHRA prohibits a provider from releasing a patient’s health records to any person without:

(1) a signed and dated consent from the patient or the patient’s legally authorized representative authorizing the release;

(2) specific authorization in law; or

(3) a representation from a provider that holds a signed and dated consent from the patient authorizing the release.

Plaintiffs in the two litigations assert that they are “patients” as defined under the MHRA and Mayo Clinic is a “provider”.  They also allege that a former employee of the Mayo Clinic accessed their “health records” in the absence of their consent, in contravention of the MHRA’s requirements.  Besides pleading a count under the MHRA, Plaintiffs bring common law tort claims for invasion of privacy, negligent infliction of emotional distress, and for vicarious liability.  Plaintiffs seek monetary damages in addition to any other relief the court deems just and equitable.

As the number of data breaches continues to rise, so too will the number of data breach litigations.  CPW will there to cover these developments as they occur.  Stay tuned.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 329

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...