Mayo Clinic is notifying more than 1,600 patients that their health records were illicitly accessed by a former employee.
The breach was confirmed on Aug. 5. While the files in question included names, dates of birth, medical notes and other personal information, no Social Security numbers or bank accounts were accessed.
“Access was limited in duration, and Mayo has no evidence that any data was printed or retained by the former employee,” according to the clinic’s announcement. “Social Security numbers, payment card information, or bank account numbers were not accessed. Therefore, affected patients do not need to take any actions in response to this incident.”
Each patient whose information was accessed will be directly contacted by Mayo Clinic. The files accessed included 1,131 Minnesota patients.
While the breach was confirmed in August, it’s unclear when the employee actually accessed the documents. The delay in the notification was due to Mayo Clinic's investigation process.
"When Mayo Clinic Privacy Office confirms a breach has occurred, a thorough investigation is conducted to ensure the breadth of the breach is understood. The process takes time to complete as we work to identify all the affected patients and verify the details of the breach. Mayo Clinic continues to observe required notification timelines prescribed under HIPAA," wrote Mayo Clinic's Heather Carlson.
The employee who accessed the records was “a licensed health care worker,” although Mayo Clinic is not identifying the person. The worker was ending their employment with Mayo Clinic, when the violation was discovered.
"Mayo Clinic is strongly committed to protecting the privacy of our patients, and we sincerely regret that this incident occurred,” according to the clinic’s statement. “Mayo takes this matter very seriously and as a result of this investigation is reviewing its policies and procedures. Mayo will provide appropriate training and education regarding any changes to our staff.”