John Hopkins Health System hit with HIPAA Privacy Rule Lawsuit

A particularly distasteful HIPAA Privacy Rule violation that occurred at John Hopkins Health System has now resulted in a $190 million class-action HIPAA Privacy Rule lawsuit being filed against the healthcare provider.

The HIPAA Privacy Rule lawsuit stems from the actions of an obstetrician/gynecologist employed by the hospital who was discovered to be taking illicit photographs of his female patients using a hand-held camera hidden in a pen-like device. The physician took videos and still photographs of his patients while he was conducting examinations.

Dr. Nikita Levy, M.D., was reported to the hospital security staff after other employees noticed a device that the physician wore around his neck during examinations of patients. While the item had the appearance of a pen, some of the hospital staff suspected that the device may in fact be a camera.

Security staff at the hospital investigated the allegation and visited the doctor in his offices, where they identified a number of camera devices which the doctor was required to surrender. The investigation determined that the doctor had taken some 1,200 videos and 140 photographs which were being stored on a network of computer servers kept at the doctor’s home. The material also included pictures and videos of minors. A few days after being discovered, Levy committed suicide.

The photographs and videos are classed as Protected Health Information under HIPAA Rules as they contain images of body parts, and in some of the material the identity of the victims can be determined. Most of the images, however, did not include the victims’ faces.

In spite of the material being stored on computer servers, law enforcement officials were unable to find any evidence that any of the material had been shared with other individuals. They have since confiscated the equipment and have secured the data.

While healthcare providers can implement a number of security controls to prevent electronic health records from being improperly accessed and cybersecurity measures can be used to protect networks, preventing HIPAA violations caused by individual members of staff can be problematic. In this case, it is unlikely that any amount of training on HIPAA Rules would have prevented this HIPAA breach from occurring; however the hospital has committed to improving security measures to prevent this type of incident from occurring in the future.

According to a statement given by John Hopkins Hospital to the Security Media Group about the HIPAA Privacy Rule lawsuit, the hospital stated: “We have implemented numerous steps to educate, inform and empower our staff to identify and alert us if they have any concerns. We also conducted a comprehensive initial inspection of our facilities and continue to conduct random inspections.”

The HIPAA Privacy Rule lawsuit is being filed on behalf of 7,000 patients who have potentially been affected by the actions of the OBS/GYN physician. All patients affected have now been sent breach notification letters by the hospital.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of