Not surprisingly, Mayo Clinic is facing a lawsuit over an insider-wrongdoing (snooping) breach that was disclosed last month. Jim Spencer reports:
Patients whose medical records were improperly accessed by a former Mayo Clinic employee are attempting to mount a class-action lawsuit against the health care provider for failing to protect their sensitive personal data.
The lead plaintiff, Olga Ryabchuk, was one of more than 1,600 patients, including more than 1,000 from Minnesota, who had their medical records examined by a former Mayo health care worker who had no right to look at them, according to a complaint filed Friday in Olmsted County District Court.
Read more on StarTribune.
Insider snooping — often out of curiosity but also often concerning an employee’s relatives, friends, or exes — is a long-standing problem and risk. Employees across different services and departments need access to records for patient care, and figuring out what is legitimate access vs. unnecessary access is challenging. Several firms, including one DataBreaches.net collaborates with — Protenus — provide software solutions plus training programs to help entities monitor and reduce inappropriate access. But can patients successfully sue for violations? Look at what Spencer reports in the current case:
[the plaintiff] Ryabchuk claims violation of the Minnesota Health Records Act, which forbids unauthorized access to medical records. She also sued for invasion of privacy and emotional distress. In addition to personal information, demographic information and clinical notes, the Mayo employee allegedly looked at “images” of private parts of Ryabchuk’s body, according to the complaint.
Even assuming all that happened, does that make the clinic responsible for the actions of an inappropriate employee? We have seen a number of cases over the years where plaintiffs tried to hold medical centers or employers responsible for an employee’s behavior. Many of those suits fail because the employee was acting outside of the scope of their duties. I do not know if there have been any suits like that in Minnesota though, or what those opinions held. As always, stay tuned…. and maybe some lawyer will blog about this case so we can learn more about similar cases in Minnesota.