Mayo Clinic is facing three lawsuits from patients who say a former surgery resident, Ahmad Alsughayer, viewed hundreds of their nude photographs in electronic medical records despite having no professional reason to go into their files.
Alsughayer, who is 28 and has a current address in Saginaw, Mich., was charged in April by the Olmsted County attorney's office with a single gross misdemeanor of unauthorized computer access after one of the 1,614 patients whose records he viewed filed a report with the Rochester Police.
Three civil lawsuits have been filed. One Rochester-area woman who works at Mayo and had nude medical images viewed last year by Alsughayer is suing the health system for failing to use a feature in its electronic health records (EHR) system that she says would have prevented the privacy breach by limiting access to highly sensitive medical records.
Although the data-breach letter she received from Mayo didn't expressly mention the naked photos, the woman said in an interview that she figured it out based on the dates of the records. Marisa is identified by the pseudonym "K.M.M." in her lawsuit. (The Star Tribune is not using her full name because she's in Minnesota's Safe at Home program for anonymity following a rape years earlier.)
"It was like being raped again," Marisa said Tuesday. "When you lose control of your pictures ... it's like being totally violated."
A plaintiff in a second lawsuit, Olga Ryabchuk of Olmsted County, said she felt Mayo personnel weren't honest when they said the investigation couldn't find a medical or business reason for the breach and Mayo would never know why this happened.
"This representation was false," Ryabchuk's lawsuit says. "Mayo Clinic already knew, but did not tell plaintiff, that Alsughayer had requested access to these 1,600+ EHRs to view naked images of female patients ... and that Mayo Clinic chose not to implement the fixes and protections proper to have prevented this incident."
A third lawsuit is pending with similar allegations. All three cases are filed in state court, and two of the three are seeking class-action status. All three cases name Mayo Clinic and Alsughayer as defendants. (Ryabchuk's case is being amended to include Alsughayer by name, attorney Marshall Tanick said.)
In court filings, Mayo has denied the allegations against the health system. Mayo said Tuesday that its staff investigated the incident, concluded that only one employee viewed patients' "protected medical information," and notified the authorities and affected patients.
"Mayo Clinic is strongly committed to protecting the privacy of our patients, and we sincerely regret that this incident occurred," the health system's public statement last October said. "Mayo takes this matter very seriously and as a result of this investigation is reviewing its policies and procedures."
This week, a system spokeswoman said via email, "In light of the pending criminal and civil suits, we respectfully refer you to our prior media notice and the public court file."
Alsughhayer could not be reached for comment. Mayo Clinic is not providing his legal defense.
Marsh Halberg, who said he is Alsughayer's attorney in the criminal case, declined to comment. Alsughayer is scheduled to have his first court appearance in the criminal matter in early July.
On Oct. 5, Mayo Clinic said in a news release that on Aug. 5 it confirmed "suspicious access" to the medical records of 1,614 patients — including 1,131 Minnesotans — by a lone former employee.
Using language common to medical-data notifications, Mayo's letters to patients said an unnamed employee had inappropriately accessed files with their name, demographic information, date of birth, medical record number, clinical notes, "and, in some instances, images."
A lawyer for Marisa, Andrew Davick of Meshbesher & Spence, said many of the images viewed by Alsughayer were for dermatology and cancer appointments, in which full-body pictures are taken and stored to monitor skin changes over time. Images of patients undergoing breast reconstruction surgery were also among those viewed.
The statement of probable cause in the criminal case says Alsughayer gained, or attempted to gain, unauthorized access by accessing a computer security system in February 2020.
Marisa's lawsuit says Mayo Clinic clinicians can look at patients' electronic medical records using an employer-issued iPad that works "anywhere they choose, whether at the office or in the privacy of an apartment." The system does not limit doctors to viewing the files of patients under their direct care, the lawsuit alleges.
The filing says Alsughayer looked at Marisa's images on June 15, 2020. The images were from appointments in February, March and May of that year.
Marisa said Alsughayer looked at about 200 of her images. "He wasn't on my care team," she said. "He had no business whatsoever to look at my photos or my file."
A filing from the judge in the Ryabchuk case says Mayo's internal monitoring systems "detected a potential unauthorized access of patient files by an employee" sometime in June 2020.
A Mayo spokeswoman told the Star Tribune last November that because of the number of patients affected, Mayo Clinic staff had notified local police and the FBI about the breach. The clinic also reported the matter to "applicable licensing boards."
"Mayo Clinic will fully corporate with law enforcement," the Mayo spokeswoman wrote Oct. 6.
Mayo said Alsughayer's employment "was ending" when the breach was discovered.
In a civil lawsuit Alsughayer subsequently filed against the Educational Commission for Foreign Medical Graduates, in eastern Pennsylvania federal court, a judge wrote that "plaintiff's conduct ... resulted in his retroactive removal from the Mayo Clinic." (It's not clear what Alsughayer's goal was in filing the suit, as it was dismissed while under seal.)
The statement of probable cause says Mayo positively identified Alsughayer as the person who accessed the records. The detective also looked at files documenting the training Alsughayer received on Mayo's EHR access policies.
The two lawsuits seeking class-action status were filed in Minnesota state court late last year — Ryabchuk's lawsuit, and a second one filed by Amanda Bloxton-Kippola of Michigan and Chelsea Turner of Minnesota.
The three lawsuits, including Marisa's case, claim violations of the Minnesota Health Records Act and invasion of privacy. Ryabchuk's class-action case and Marisa's individual case also claim nonconsensual dissemination of private sexual images and negligence by Mayo.
In court filings, Mayo has denied the allegations, including the suggestion that it "released" the images to Alsughayer or that it is responsible for damages caused by his conduct.
"Conduct and damages alleged in the Amended Complaint were not caused by any action or inaction on the part of Mayo," the health system's response to the Bloxton-Kippola lawsuit says. Judge Kathy M. Wallace in March declined a motion to dismiss the case on procedural grounds.
Judge Wallace in April did dismiss the Ryabchuk lawsuit but allowed some claims to be refiled. In June, Ryabchuk filed an amended complaint with more specific allegations against Mayo.
The question of whether to certify a class in either case hasn't been decided.
Marisa's case was filed last May and hasn't had any judicial rulings. Mayo legal filings say the system intends to ask for some of the claims to be dismissed, and for the rest to be removed from an "expedited" litigation program.