Healthcare data breaches are on the rise-recent estimates peg the number of patient records breached in 2019 as exceeding 41 million individuals.  Additionally, approximately 60% of all healthcare data breaches are caused by internal actors—a statistic underscored by consecutive data breach class actions filed against the Mayo Clinic concerning the unauthorized access of patient records.

In October, Mayo Clinic disclosed that that a former employee had inappropriately accessed the health records of more than 1,600 patients.  Information that may have been accessed in the breach reportedly included name, demographic information, date of birth, medical record number, clinical notes and medical images (including, as alleged in the litigation, nude images of patients taken in connection with ongoing cancer treatments).

This month, following disclosure of the breach, Mayo Clinic was hit with two data privacy class action lawsuits in Minnesota state courts.  See Bloxton-Kippola, et al. v. Mayo Clinic, et al., Case No. 55-cv-20-6188 (Minn. Dist. Ct.) and Ryabchuk v. Mayo Clinic, et al., Case No. 55-cv-20-6445 (Minn. Dist. Ct.).  Among other things, the litigations allege that Mayo Clinic failed to “put into place systems or procedures to ensure that Plaintiffs’ and similarly situated individuals’ health records would be protected and would not be subject to unauthorized access.”  The Plaintiffs assert claims against Mayo Clinic under the Minnesota Health Records Act (“MHRA”) and for common law privacy torts.

First, some background for the uninitiated.  The federal health privacy statute, Health Insurance Portability and Accountability Act (“HIPAA”), provides for the disclosure of protected health information (“PHI”) in the absence of consent under a range of circumstances.  This includes, but is not limited to, for treatment, payment and healthcare operations (collectively, “TPO”) as well as for other purposes (research, public health activities, etc.).  Importantly, patients do not have a right to sue their health care provider under HIPAA for failing to follow HIPAA regulations (there is no private right of action).

However, HIPAA sets only minimum standards that must be followed when patient data is concerned.  It does not preempt states from passing more stringent healthcare privacy laws—as Minnesota has done with the MHRA.  The MHRA protects the data contained in medical records of individual patients collected by healthcare providers and applies to all Minnesota-licensed physicians.  Providers that violate the MHRA are subject to recourse from their licensing board.  Unlike HIPAA, patients may also sue providers for violating the MHRA.

Relevant for purposes of the Mayo Clinic litigations, in addition to the requirements under the HIPAA Privacy Rule, the MHRA prohibits a provider from releasing a patient’s health records to any person without:

(1) a signed and dated consent from the patient or the patient’s legally authorized representative authorizing the release;

(2) specific authorization in law; or

(3) a representation from a provider that holds a signed and dated consent from the patient authorizing the release.

Plaintiffs in the two litigations assert that they are “patients” as defined under the MHRA and Mayo Clinic is a “provider”.  They also allege that a former employee of the Mayo Clinic accessed their “health records” in the absence of their consent, in contravention of the MHRA’s requirements.  Besides pleading a count under the MHRA, Plaintiffs bring common law tort claims for invasion of privacy, negligent infliction of emotional distress, and for vicarious liability.  Plaintiffs seek monetary damages in addition to any other relief the court deems just and equitable.

As the number of data breaches continues to rise, so too will the number of data breach litigations.  CPW will there to cover these developments as they occur.  Stay tuned.