A Cleveland Clinic Indian River Hospital patient, “John Doe,” has sued the hospital for damages after his private medical records, including his name and positive HIV test results, were accessed and photographed by a hospital employee and then published on social media.
Lawyers for the plaintiff, age 40, say the hospital acknowledged that an employee accessed the man’s records without authorization, but refused to reveal the employee’s identity, saying the employee no longer works at the hospital.
“Cleveland Clinic’s failure to maintain confidentiality of Plaintiff’s HIV test results and their publication online has caused Plaintiff to suffer from anxiety, embarrassment, isolation, and emotional distress,” according to the suit seeking a jury trial.
Unauthorized access to medical records violates the Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law that, among other things, protects the confidentiality of personal health information (PHI). The incident also violates Florida’s Omnibus AIDS Act, which makes HIV test results “super confidential,” the suit says.
The man was admitted to Cleveland Clinic Indian River Hospital on Dec. 22 and underwent several tests. The man’s records were “impermissibly accessed several times” prior to his discharge on Dec. 29. Photographs were taken of his personal information, including his name, address, date of birth and HIV-positive status.
On Dec. 29 the images were posted anonymously on a Facebook group page, along with the message “Ladies plz plz be careful well known guy in Fort Pierce / Gifford just got released from the hospital not caring he has HIV y’all plz be careful.” (sic) A photograph of the man also was posted on the group page.
The man called his daughter on his way home from the hospital to inform her of his HIV diagnosis, but to his shock, she told him she’d already read it on Facebook, the suit says.
John Doe’s family members, his ex-wife, and others in the community sent him screen shots of the social media post, the suit says.
The man reported the security breach to the hospital in January. Cleveland Clinic forwarded the complaint to its Office of Corporate Compliance. On Feb. 7, the hospital responded, acknowledging that the man’s records had been accessed without permission and apologized “for any inconvenience or concern” the incident caused, and said “those responsible … are no longer with the organization.”
Cleveland Clinic Florida spokesperson Raquel G. Rivas said in an emailed statement, “We are committed to standards designed to protect patient privacy. Cleveland Clinic does not comment on pending litigation.”