Data Breaches at Mayo Clinic, UMMA Community Clinic and AAA Ambulance Service

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Legit Work Reason

Mayo Clinic began sending notifications to over 1,600 patients that a former staff accessed some of their protected health information (PHI) with no authorization.

Mayo Clinic announced on August 5, 2020 that a licensed medical professional had viewed the data files of patients even though there was no valid reason. The staff was finishing his/her employment with Mayo Clinic when the provider discovered the privacy breach. The person is not working at Mayo Clinic any longer.

It is not known what is the reason for viewing the healthcare data and Mayo Clinic didn’t reveal the time when the privacy breach happened. Mayo Clinic mentioned that the records access was of restricted length of time and there is no proof found that suggests the employee printed or retained any information.

The potentially exposed data included names, birth dates, demographic data, medical record numbers, medical images, and clinical notes. There was no financial information or Social Security numbers viewed by the staff. Mayo Clinic has filed a report of the unauthorized data access to the FBI and the Rochester Police Department. Investigation of the security breach is now ongoing.

Mayo Clinic stated that the delayed sending of notifications was due to the lengthy investigation into the privacy breach. Affected persons already received notifications, however, the nature of data exposed indicates there’s no action necessary associated with the breach.

Insider Breach at UMMA Community Clinic

The Los Angeles University Muslim Medical Association (UMMA) Community Clinic learned that an ex-employee transmitted a secured file with patients’ PHI to a private email account. UMMA discovered the incident on July 1, 2020, after two days the file was emailed.

UMMA has acquired written affirmation from the ex-employee that the file was properly deleted and UMMA doesn’t know of any other data exposures or misuse.

UMMA has put in place more policies and procedures to avoid the same privacy breaches later on. It is presently obvious how many people have been impacted or the types of protected health information included in the secured document.

Attempted Ransomware Attack at AAA Ambulance Service

AAA Ambulance Service in Mississippi is informing patients regarding an attempted ransomware attack that happened sometime on July 1, 2020. Immediate action was undertaken to stop data encryption. An internal investigation was started to find out the magnitude of the data breach. With the help of third-party computer forensics specialists, AAA Ambulance Service established on August 26, 2020 the potential access or exfiltration of patient data by the attackers before the ransomware deployment.

The types of information likely exposed include patients’ names along with at least one of these data: driver’s license number, Social Security number, birth date, financial account number, diagnosis data, treatment details, patient account number, medication details, medical record number and/or medical insurance details.

There is no evidence found that suggests the misuse of patient data. However, as a safety precaution, impacted persons were offered free credit monitoring services. AAA Ambulance Service is employing more safety measures to avoid the same breaches later on.