Cyber Incident Victim: Hennepin HealthCare
Date:
Oct 2020
Location:
United States of America
Summary
Employees at Hennepin HealthCare improperly accessed medical records of George Floyd without authorization, violating patient privacy. An internal investigation revealed multiple unauthorized accesses by staff lacking legitimate work-related reasons, resulting in several terminations. The breach, involving a high-profile patient's sensitive health information, was disclosed to the affected individual's family attorney, confirming non-compliant data handling practices within the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Hennepin Healthcare terminated five employees for improperly accessing the medical records of George Floyd, a high-profile patient, without legitimate work-related justification. The incident came to light after an attorney representing Floyd’s family was notified in September 2020 that Floyd’s protected health information had been accessed multiple times in violation of privacy protocols. A subsequent public records request by FOX 9 revealed internal documentation confirming the unauthorized accesses and the resulting disciplinary actions. The hospital classified Floyd as a “high profile patient,” indicating heightened sensitivity around his records. The employees’ actions breached medical privacy laws, though the exact dates and methods of access were not publicly disclosed. Hennepin Healthcare did not specify the roles or departments of the terminated staff but confirmed the accesses lacked a valid clinical or administrative purpose. The hospital’s investigation concluded the violations were serious enough to warrant immediate termination rather than lesser disciplinary measures.
The incident drew public attention due to Floyd’s prominence following his death in May 2020 and raised concerns about systemic failures in safeguarding sensitive patient data. Hennepin Healthcare’s response focused on personnel accountability, with no reported technical or procedural changes to its electronic health record system. The hospital did not disclose whether affected patients or regulatory bodies were formally notified beyond the initial communication with Floyd’s family attorney. No evidence suggested broader data misuse or external dissemination of Floyd’s records. The terminations underscored institutional risks posed by insider threats, particularly involving high-profile cases. Public records released in October 2020 provided transparency about the dismissals but did not elaborate on pre-incident access controls or post-incident audits. The hospital faced reputational scrutiny but reported no legal penalties or fines directly tied to the breach at the time of disclosure.