Printer Friendly, PDF & Email

Privacy Briefs: July 2021

◆ Mayo Clinic is facing three lawsuits from patients who say a former surgery resident, Ahmad Alsughayer, viewed hundreds of their nude photographs in electronic health records (EHRs) despite having no professional reason to go into their files.[1] Alsughayer was charged in April by the Olmsted County attorney’s office with a single gross misdemeanor of unauthorized computer access after one of the 1,614 patients whose records he viewed filed a report with the Rochester police. The three civil lawsuits include one from a Rochester-area woman who works at Mayo Clinic. She is suing the health system for failing to use a feature in its EHR system that she said would have prevented the privacy breach by limiting access to highly sensitive medical records. Although the data breach letter she received from Mayo didn’t expressly mention the naked photos, the woman told the Star Tribune that she figured it out based on the dates of the records. A plaintiff in a second lawsuit said she felt Mayo personnel weren’t honest when they said the investigation couldn’t find a medical or business reason for the breach and Mayo would never know why this happened. “This representation was false,” the lawsuit said. “Mayo Clinic already knew, but did not tell plaintiff, that Alsughayer had requested access to these 1,600+ EHRs to view naked images of female patients…and that Mayo Clinic chose not to implement the fixes and protections proper to have prevented this incident.” A third lawsuit is pending with similar allegations. All three cases are filed in state court, and two of the three are seeking class-action status. In court filings, Mayo has denied the allegations. The health system said that its staff investigated the incident, concluded that only one employee viewed patients’ “protected medical information,” and notified the authorities and affected patients.

This document is only available to subscribers. Please log in or purchase access.