The University of Kansas Hospital Authority and Health System (KU Health), Epic Systems Corp., and Lawrence Memorial Hospital are facing a class action lawsuit filed in the U.S. District Court in Kansas City, Kansas. The lawsuit involves a physical therapist who viewed naked patient pictures without authorization. Based on the lawsuit, the physical therapist viewed the files of about 425 women who underwent breast augmentation and/or other cosmetic surgery at Plastic Surgery Specialists of Lawrence, which is a partner hospital of Lawrence Memorial Hospital.
The physical therapist worked at KU Health and viewed patient data even if he was not affiliated with the plastic surgery clinic and was not connected to any individual because he was receiving a treatment connection with any individual. The physical therapist utilized his credentials in KU Health to view patient files, which contained body measurements, naked clinical before and after photos, and sensitive personally identifiable information (PII). The PT’s first access happened in February 2021 and continued until February 2023.
Upon discovery of the privacy violation, there was an internal investigation. KU Health fired the physical therapist, though the lawsuit claims KU Health did not alert the authorities about the unauthorized access to medical records. Epic Systems Corp. was called out in the lawsuit because the Epic website allowed patient information sharing among unrelated health systems.
The lawsuit questions the notification procedure, saying KU Health delayed sending breach notification letters to the impacted persons for two months and just informed them concerning the incident in April 2023, in spite of discovering the illegal access in February 2023. The plaintiffs state the defendants did not give sufficient facts in the letters concerning the nature of the data breach, which included the name of the PT, the number of people impacted, the accessed private data, and whether the PT acquired patient information and images.
The lawsuit mentions two Jane Doe plaintiffs who filed the lawsuits independently and on behalf of other likewise situated individuals. The plaintiffs state that their files contained before and after pictures of their completely naked bodies. One plaintiff claimed her face was seen in the pictures. Moreover, the files viewed by the ex-employee included names, contact details, birth dates, medical insurance data, and Social Security numbers.
The lawsuit states the defendants were aware or should have known that the PT was viewing patient files with no consent. The PT had no legitimate treatment relationship with the patients and was not authorized to access patient files. KU Health should have known about the PT immediately, instead of letting the problem continue for two years.
The lawsuit filed for invasion of privacy-intrusion upon seclusion, claims of negligence, breach of implied contract, deliberate infliction of emotional distress, supervision and retention, negligent training, breach of contract as a third-party beneficiary, breach of express contract, violation of the Stored Communication Act, the Computer Fraud and Abuse Act, the right to data privacy under the 14th Amendment to the US Constitution, and the right to unreasonable search and seizure under the 14th Amendment.
The law agency Stueve Siegel Hanson LLP filed the lawsuit, stating the serious issue in the healthcare sector when unauthorized staff got access to patient files at an unaffiliated medical center without oversight. This case advocates for better safety measures on patient records and holds responsible those who did not safeguard them. The lawsuit wants compensatory and punitive damages, and a jury trial.
Image credit: tong2530, AdobeStock
