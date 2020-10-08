ROCHESTER, Minn. - Mayo Clinic is investigating after a privacy breach impacted more than 1,600 of its patients.

Mayo Clinic announced the breach on Oct. 7, but said they were alerted to the suspicious access on Aug. 5. Investigators determined the access was isolated to one employee.

Local attorney Andrew Davick tells KIMT News 3 he's been contacted from impacted patients about the matter. He said this could be a HIPAA violation of the individual accessed medical records and was not involved in the patients' care. He suspects that's the case since the employee is no longer with Mayo.

With a lot of unknowns regarding the nature of the breach, Davick said patients have a right to ask questions.

"If I were in your shoes, I would inquire further of the clinic," Davick said. "I would go to them and say 'I would like to know exactly what was accessed in terms of my patient record, what was done about it, was there a third-party dissemination of that information?' So for example, did this individual who accessed these medical records; were they downloaded, were they taken off site, were they provided to a third party?"

Davick said whether or not they take on cases depends on the circumstances and nature of the incident. Mayo Clinic said all patients who have been affected will receive a letter in the mail with additional information.

"I think asking those questions and trying to determine and understand the scope of the invasion and exactly what happened and their personal circumstance is important," Davick said.

Mayo Clinic's full statement is below:

Mayo Clinic confirmed a privacy breach affecting 1,131 patients in Minnesota and 1,614 patients total. On Aug. 5, Mayo confirmed suspicious access to patients' protected health information by one former employee of Mayo Clinic in Rochester. Given the number of affected patients, the specific date of inappropriate access is detailed in the individual notices.

Mayo investigated the incident and concluded that this case of inappropriate access was isolated to one employee who is no longer with Mayo Clinic. The following data elements may have been viewed: name, demographic information, date of birth, medical record number, clinical notes, and, in some instances, images. Access was limited in duration, and Mayo has no evidence that any data was printed or retained by the former employee. Social security numbers, payment card information, or bank account numbers were not accessed. Therefore, affected patients do not need to take any actions in response to this incident. Although it remains a good idea to regularly check credit reports, which are available at www.annualcreditreport.com.

Mayo Clinic is strongly committed to protecting the privacy of our patients, and we sincerely regret that this incident occurred. Mayo takes this matter very seriously and as a result of this investigation is reviewing its policies and procedures. Mayo will provide appropriate training and education regarding any changes to our staff.

Mayo continues to investigate this breach to ensure any patients whose records were inappropriately accessed are identified. All Mayo Clinic patients who have been affected will receive a mailed notification letter with additional information. Patients who received a letter and others who have additional questions may call 1-844-681-7087 (toll free).