One of the most prestigious healthcare companies in the country is in hot water after one of its medical residents was caught looking at nude photos of patients, even though he had no medical reason for doing so. It’s a major privacy violation that would haunt anyone.
Now, Mayo Clinic and the resident are the targets of multiple lawsuits.
Snooping on Patients
The Rochester, MN clinic is facing three civil lawsuits from former patients that allege a former surgery resident viewed hundreds of nude patient photos for personal reasons unrelated to their medical care. The resident has been identified as Ahmad Alsughayer, 28, who has an address in Saginaw, Michigan.
He was charged with a misdemeanor of unauthorized computer access in Olmsted County after one of the patients whose records he viewed contacted Rochester police. Alsughayer is believed to have accessed illicit images of around 1,614 patients during his time at Mayo Clinic.
Of the three civil suits, one of the plaintiffs, a Rochester-area woman, is suing the health system after Alsughayer looked at nude pictures of her. She says the company should have used a feature in its electronic health records system that would’ve prevented the resident from looking at highly sensitive files.
Her attorney, Andrew Davick of Meshbesher & Spence, says many of the images viewed by the resident were for cancer and dermatology screenings, in which full-body images are taken of patients in the nude. Providers use these images to monitor skin changes over time. Patients undergoing breast reconstruction surgery were also included in the breach.
The plaintiff is only listed as “K.M.M.” in the lawsuit for privacy reasons. She is currently in a program for survivors of sexual assault after being raped.
She received a letter from Mayo Clinic notifying her of the data breach, but it didn’t say which files were breached. She realized it must have been nude images when she looked at the dates.
“It was like being raped again,” K.M.M. said. “When you lose control of your pictures…it’s like being totally violated.”
Another plaintiff, Olga Ryabchuk of Olmsted County, believes Mayo Clinic was less than transparent about the entire experience.
“This representation was false,” the lawsuit says. “Mayo Clinic already knew, but did not tell plaintiff that Alsughayer had requested access to these 1,600+ EHRs to view naked images of female patients…and that Mayo Clinic chose not to implement the fixes and protections proper to have prevented this incident.”
A third civil suit is also pending with similar accusations. All three are being filed in state court. Two of the three suits are seeking class-action status, which would allow other plaintiffs to join the suit.
All three cases name both Mayo Clinic and Alsughayer as defendants. They claim both parties violated the Minnesota Health Records Act, which forbids unauthorized access to sensitive medical information.
Protecting EHRs
Last October, the health network sent out a news release saying that there was “suspicious access” to the medical records of 1,614 patients on August 5th — including 1,131 Minnesotans — by a former employee. They added the breach included names, dates of birth, addresses, medical record numbers, clinical notes, “and, in some instances, images.”
However, the company refused to take responsibility for the breach. It refuted the idea that it released the photos to Alsughayer or that it is somehow responsible for the damage his actions caused. It says Alsughayer’s employment “was ending” when the breach was discovered.
“Mayo Clinic is strongly committed to protecting the privacy of our patients, and we sincerely regret that this incident occurred. Mayo takes this matter very seriously and as a result of this investigation is reviewing its policies and procedures,” the company said at the time.
On Tuesday, Mayo Clinic said only one employee viewed “protected medical information,” and that the clinic notified the authorities and affected patients. “In light of the pending criminal and civil suits, we respectfully refer you to our prior media notice and the public court file,” a spokesperson added.
As part of her lawsuit, K.M.M. says the clinic gives out iPads to providers so they can access EHRs on the go, but they can use them “anywhere they choose, whether at the office or in the privacy of an apartment.” She says anyone in the system can access these files, instead of limiting access to doctors who are involved with the patient’s care.
“He wasn’t on my care team,” K.M.M. said. “He had no business whatsoever to look at my photos or my file.” She says Alsughayer viewed about 200 images of her taken between February and May of 2020.
Alsughayer is scheduled to appear in court in early July.