In late July, as George Floyd’s death still permeated the news cycle, five Hennepin Healthcare employees received hand-delivered letters notifying them they were being fired for looking at a patient’s medical file without authorization, a violation of the hospital’s confidentiality policy.
The letters, obtained by the Star Tribune through a public records request, do not specifically identify the patient as Floyd. But some of them refer to a “high profile patient” and a case in the news. And shortly after they were delivered, the hospital sent a letter to Floyd’s family saying his private data had been breached by several employees who no longer worked there.
The letters give little clarity as to what drove the employees, from departments all over the hospital system, to violate Hennepin Healthcare’s confidentiality policy and fundamental ethics to look at the records.
Earlier this month, Floyd’s attorneys called the security breach a revictimization of the family.
“When George Floyd was desperate for a breath, the city of Minneapolis pushed on his neck further,” reads the statement from the Chicago-based law firm Romanucci & Blandin. “And even after death, he was abused and mistreated by the system. Shameful.”
One of the employees, an office specialist in the Emergency Medical Services department, said they were “concerned about the safety of the paramedics that had worked on this patient,” according to one of the disciplinary letters, dated July 28.
Another employee, from the hospital’s surgery clinic, acknowledged searching for the patient’s name but denied reading anything, according to the letter. “When asked why you searched the [sic] for the patients [sic] file you said you didn’t know why.”
A lab technician specialist said they accessed the patient’s records at the request of the medical examiner, who wanted blood samples. But they acknowledged they “did accidentally slip up” days later. “You stated that co-workers were talking about the medical information that was being reported on the news, and you clarified for them what was stated/written in the medical record,” according to the disciplinary letter.
The employees were all given the opportunity to appeal the discipline. Hennepin Healthcare officials redacted the names of the employees from the records, as well as the patient’s name.
Floyd’s legal team is exploring remedies to “make this right and make the family whole for this incredible intrusion of privacy,” according to their statement. “The security of medical records and personal information is of critical importance in Minnesota and across the country.”
Hennepin Healthcare spokeswoman Christine Hill has declined to answer questions about the data breach, instead citing the organization’s policy on patient confidentiality, saying that it regularly conducts privacy audits and that patients must be notified of breaches.
Floyd, 46, died in police custody on May 25 when four Minneapolis police officers detained him on suspicion of passing a counterfeit $20 bill at the Cup Foods convenience store at 38th Street and Chicago Avenue in south Minneapolis. Officer Derek Chauvin knelt on Floyd’s neck for several minutes as Floyd pleaded for breath and bystanders begged Chauvin and three other officers to stop. Chauvin is charged with second-degree murder and second-degree manslaughter in Floyd’s death. Three other officers, Thomas Lane, J. Alexander Kueng and Tou Thao are charged with aiding and abetting murder and manslaughter. All four have been fired.