HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail.

The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered.

A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no need to do so to fulfil his role as a doctor and hospital employee. Alsughayer’s legal team filed a motion to dismiss the lawsuit on June 1, 2021 “”on the grounds that there does not exist probable cause to believe the defendant committed the offense(s) charged therein.”

Allegations had previously been made against Alsughayer in three lawsuits, the latest of which was filed against Alsughayer and Mayo Clinic on May 29, 2021. In December 2020, a female patient, named as K.M.M in the lawsuit, contacted Rochester police after receiving a breach notification letter from Mayo Clinic.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

She had learned that her medical records had been accessed by a hospital worker, which included nude images that were taken on three separate occasions. After requesting to view her medical records, the woman discovered the dates of inappropriate access coincided with the dates that the images were taken. She alleged the hospital employee referred to in the breach notification letter had accessed her medical records specifically to view her nude images.

According to the lawsuit, the doctor “was at an off-campus, private location” when her medical records were accessed and “Alsughayer did not need photographic images of plaintiff’s breasts and genitals to do his job.” A court hearing has been scheduled in August.

In addition to that lawsuit, two class action lawsuits had already been filed in Olmsted County Court in connection to the breach. Amanda Bloxton-Kippola (MI) and Chelsea Turner (MN) are named as the plaintiffs in one of those lawsuits against Alsughayer and Mayo Clinic, with the second lawsuit naming Olga Ryabchuk (MN) as the plaintiff and John Doe and Mayo Clinic as defendants. One of the lawsuits alleges medical records accessed that included nude photographs taken by Mayo Clinic as part of the healthcare services provided. Both lawsuits have been scheduled for trial next year.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.