HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization

Mayo Clinic has started notifying more than 1,600 patients that some of their protected health information has been viewed by a former employee without authorization.

Mayo Clinic confirmed on August 5, 2020 that a licensed health care professional had accessed the records of patients when there was no legitimate reason for doing so. The employee was ending their employment with Mayo Clinic when the privacy breach was discovered and the individual no longer works at Mayo Clinic.

The reason for accessing the medical records is not known and Mayo Clinic has not disclosed when the privacy breach occurred. Mayo Clinic explained that the access was limited in duration and no evidence was found to suggest any information was printed or retained by the employee.

The types of information accessed included names, dates of birth, demographic information, medical record numbers, medical images, and clinical notes. No financial information or Social Security numbers were viewed. Mayo Clinic has reported the unauthorized access to the Rochester Police Department and the FBI, and the privacy breach is being investigated.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Mayo Clinic said there was a delay in issuing notifications as the investigation into the privacy breach took time to complete. Affected individuals have now been notified, but the nature of data accessed means they do not need to take any action in relation to the breach.

UMMA Community Clinic Discovers Insider Breach

University Muslim Medical Association (UMMA) Community Clinic in Los Angeles has discovered a former employee sent a secured file containing patients’ protected health information to a personal email account. The incident was discovered on July 1, 2020, two days after the file was emailed.

UMMA has received written confirmation from the former employee that the file has been securely deleted and UMMA is unaware of any further disclosures or misuse of the information in the file.

UMMA has implemented additional policies and procedures to prevent similar privacy breaches in the future. It is currently clear how many individuals have been affected or the types of protected health information contained in the secured file.

AAA Ambulance Service Notifies Patients About Attempted Ransomware Attack

AAA Ambulance Service in Mississippi is notifying patients about an attempted ransomware attack that occurred on or about July 1, 2020. Prompt action was taken to prevent the encryption of data on its systems and an internal investigation was launched to determine the extent of the security breach. Assisted by third-party computer forensics experts, AAA Ambulance Service determined on August 26, 2020 that patient data may have been accessed or exfiltrated by the attackers prior to the deployment of ransomware.

The types of data potentially compromised include patients’ names in combination with one or more of the following data elements: Social Security number, driver’s license number, date of birth, financial account number, diagnosis information, treatment information, patient account number, prescription information, medical record number and/or health insurance information.

No evidence has been found to suggest any patient data has been misused, but out of an abundance of caution, affected individuals have been offered complimentary credit monitoring services. AAA Ambulance Service is implementing additional safeguards to prevent similar breaches in the future.

Seven Counties Services Suffers 13,375-Record Data Breach

Seven Counties Services in Kentucky is alerting 13,375 patients about a breach of their protected health information. Seven Counties Services was targeted in a phishing attack that saw the email accounts of 13 employees accessed by an unauthorized individual. The breach was detected by the Seven Counties’ IT department on July 28, 2020 and the compromised email accounts were immediately secured. The attack began on July 27, 2020 and continued until July 30, 2020.

A review of the compromised email accounts revealed they contained reports that included protected health information such as names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, diagnoses, and dates of service. It was not possible to determine if any emails in the accounts were opened, viewed, or downloaded by the attackers.

The Seven Counties Services IT department has improved access controls, implemented location-based multi-factor authentication, and the workforce has been re-educated on phishing and email spoofing attacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.