Former Mayo Clinic employee improperly accessed 1,600-plus patient health records

Mayo Clinic is notifying more than 1,600 patients that a former employee inappropriately accessed their health records, but apparently did not retain any information gleaned from them.

The Rochester-based health system said in a statement Monday afternoon that an unnamed health care worker looked at electronic "data elements" including patient names, demographic information, dates of birth, medical-record numbers, clinical notes and, in some cases, medical images.

"Access was limited in duration, and Mayo has no evidence that any data was printed or retained by the former employee," Mayo's statement said. Social Security numbers, payment card information and bank-account numbers weren't accessed.

Mayo is not identifying the former employee, but a spokeswoman confirmed the person is a licensed health care worker whose applicable licensing boards have been notified.

Asked whether the person was terminated because of the breach, Mayo spokeswoman Ginger Plumbo said via e-mail that the person's employment at Mayo "was ending when the breach was discovered. The individual no longer works at Mayo Clinic and will not be rehired to work at Mayo."

The health system didn't specify when the breach occurred, noting only that the date is included in the individual breach letters. Given the number of people affected by the privacy breach, Mayo has notified the FBI and the Rochester Police Department about the incident.

"Law enforcement may choose to pursue charges, and we understand that they are investigating this matter. Mayo Clinic will fully cooperate with law enforcement," a spokeswoman said via e-mail.

All told, the breach affected 1,614 patients, including 1,131 in Minnesota. Mayo Clinic runs large hospital campuses in Rochester, Jacksonville, Fla., and Phoenix, in addition to a regional health system with more than 60 community hospitals and clinics in the Upper Midwest.

The health system's statement didn't recommend affected patients take any action in response to the data-breach notification. But it did note that it's "a good idea" for people to regularly check credit reports at www.annualcreditreport.com.

Cases of health care employees inappropriately accessing patient records are not uncommon.

In late July, public records show, Hennepin Healthcare in Minneapolis fired five employees after they inappropriately accessed medical records for George Floyd, whose killing in police custody on Memorial Day ignited a national reckoning over civil rights and police treatment of Black residents.

In 2011, the health system now known as Allina Health fired 32 people at its hospitals in Fridley and Coon Rapids for improperly looking up medical records on patients who were hospitalized for drug overdoses following a house party in Blaine.

One of the most well-known cases happened in Los Angeles in 2008, when UCLA Medical Center took steps to fire 13 people and discipline a half-dozen others who inappropriately viewed the medical records of pop singer Britney Spears, who had been in the hospital's psychiatric unit.

Mayo has fired employees for records-snooping in the past, including a "financial business unit" employee in Arizona who was let go in 2010 after accessing about 1,700 patient records, Bloomberg Law reported at the time.

Joe Carlson • 612-673-4779