Mayo Clinic faces lawsuit in breach of patients' health records

Patients whose medical records were improperly accessed by a former Mayo Clinic employee are attempting to mount a class-action lawsuit against the health care provider for failing to protect their sensitive personal data.

The lead plaintiff, Olga Ryabchuk, was one of more than 1,600 patients, including more than 1,000 from Minnesota, who had their medical records examined by a former Mayo health care worker who had no right to look at them, according to a complaint filed Friday in Olmsted County District Court.

Ryabchuk claims violation of the Minnesota Health Records Act, which forbids unauthorized access to medical records. She also sued for invasion of privacy and emotional distress. In addition to personal information, demographic information and clinical notes, the Mayo employee allegedly looked at "images" of private parts of Ryabchuk's body, according to the complaint. In a letter to Ryabchuk, Mayo said it became aware of the breach of her records on Aug. 5.

The filing seeks a class designation for all patients whose records got snooped. The suit asks to extend back two years in order to capture others whose information was compromised. It seeks compensatory damages in excess of $50,000 and the right to pursue punitive damages.

"Litigation has been commenced regarding this matter," a Mayo spokeswoman told the Star Tribune in an e-mail. "Mayo does not comment on pending litigation."

When Mayo announced the data breach in October, the health care facility said the employee accessed no Social Security numbers or bank-account numbers. But he or she did look at patient names, dates of birth, demographic information, clinical notes and, in some cases, digital images. Mayo said it notified the FBI of the breach.

The medical center has never publicly named the former employee who was involved. Marshall Tanick, attorney for the plaintiffs, said he will seek the person's name as well as the names of other victims.

Mayo faced a similar data breach at its Arizona campus in 2010, according to a report in Bloomberg Law. That situation involved 1,700 patients and it, too, ended in the dismissal of an employee.

In July, Hennepin Healthcare fired five employees for accessing without authorization the hospital records of George Floyd, a Black man whose killing by a white Minneapolis police officer provoked worldwide protests calling attention to racial injustice.

Tanick said that in his law practice he has seen an increase in medical-records breaches at large and small hospitals alike.

"Because of our digital society," he said, people have easier access to information.

"There is an increase in voyeurism across society," Tanick added. Technology has driven an uptick in "people being nosy and looking into people's private affairs."

Jim Spencer • 202-662-7432