Issue may have led to limited disclosure of patient information through Mayo Clinic app

 

On Jan. 22, Mayo Clinic learned of a technical issue regarding how some data from its system was being retrieved and then displayed through the Mayo Clinic app. Fewer than 2,000 patients were affected by this issue.

Limited information from one date of service, about one patient, could have been inadvertently viewed by one other patient logged in to the app if certain screens were clicked between May 1, 2015, and Feb. 1, 2019. The information could have included name, age, clinic number or information related to clinical care.

There is no evidence that any personal financial information or social security numbers were accessed or misused. Mayo Clinic does not believe that potentially affected patients need to take any action in response to this incident.

Mayo promptly identified the root cause of the issue and corrected it. Mayo Clinic takes this matter very seriously and will continue monitoring patient records to prevent further incidents from occurring. Mayo Clinic is strongly committed to protecting the privacy of its patients.

Mayo Clinic notified affected patients on March 22, 2019. However, Mayo Clinic had out-of-date contact information for some of the affected patients. If you believe you were affected by this incident, you may contact Mayo Clinic at 844-681-7087 (toll-free) between 8 a.m. and 5 p.m. Central time, Monday through Friday.

FREQUENTLY ASKED QUESTIONS

What happened?

In January 2019 we discovered an issue with the Mayo Clinic mobile patient application that resulted in information for one date of service potentially being viewed by one other patient between May 1, 2015, and Feb. 1, 2019. The information was only viewable to one other patient if that patient logged in to the mobile application, clicked on his/her Lab Results, clicked on a specific Lab Test performed between April 2001 and September 2008, clicked on a Lab Value, clicked on Individual Results, and then viewed the Lab Comment. This issue did not impact the web-based Patient Online Services, nor did it impact the electronic health record. The issue was the result of a table-linking error that resulted in limited information being viewable to the wrong mobile application user. Although we did not have evidence that personal information was seen by others, we did want to inform our patients about the incident.

When did this happen?

We learned of this issue on Jan. 22, 2019, and began an immediate investigation. By Feb. 2, 2019, we had fully identified the cause of the issue and corrected the issue to ensure patient information was no longer viewable by another user.

How do I know if I was impacted?

All affected individuals were notified by mailed letters sent on March 22, 2019. If your contact information is current with Mayo Clinic, and you did not receive a letter, you can be assured that you were not impacted by this incident.

What personal information was exposed?

In most cases, the information included the patient's name, age, date of clinical service and information related to clinical care for one date of service.  In rare cases, the information also included the patient's Mayo Clinic number and/or birthdate.

Were social security numbers exposed?

No.

Was the information protected/encrypted?

The patient mobile application is encrypted. Any information that could have been viewable to another user has been removed and linked to the correct patient.

How many people were involved?

There were 1,902 individuals who were affected by this.

Was the information removed from the server/directory?

Although the information was not stored in the mobile application, it could have been viewable. We have ensured the information is no longer viewable by another user.

Does this mean someone had access to another patient's mobile application?

No, the error was the result of incorrect information being viewable in one other patient's mobile application. This information was not stored in the mobile application and would have only been viewed if that user logged in to the mobile application, clicked on his/her Lab Results, clicked on a specific Lab Test performed between April 2001 and September 2008, clicked on a Lab Value, clicked on Individual Results, and then viewed the Lab Comment, which would have instead contained another patient's information for one date of service.

The user did not have access to another patient's mobile application, nor did the user have access to additional information other than the one incorrect comment.

Can you tell me who viewed the information?

We do not have evidence that another person actually viewed the information.

Can you tell me exactly what information was viewable?

In general, the information could have included a patient's name, age, clinic number and/or information related to the patient’s clinical care.

Why didn't you tell affected individuals about the breach of the data sooner?

Upon learning of the issue, we began an immediate investigation to determine the cause of the incident. Once the cause was identified, we acted immediately to secure all patients' information and accurately identify affected patients.

What is Mayo Clinic doing to prevent this kind of breach from happening again?

Mayo Clinic takes this matter very seriously, and we put additional technical safeguards in place to prevent future incidents from occurring.

If there are any updates regarding the investigation into the data breach, how will we be notified?

If additional updates are provided, Mayo Clinic will notify affected individuals through a letter.

Has the information been misused?

At this time, there is no evidence that there has been any use, or attempted use, of the information exposed in this incident.

What are the risks of identity theft with the information that was exposed?

The information that may have been viewed by another individual did not contain any financial information or social security numbers. Due to this, we do not believe the information could be used for identity theft purposes.