KU Health Facing Lawsuit Over Worker’s Unlawful Accessing of Nude Patient Photos
A class action lawsuit has been filed in the U.S. District Court in Kansas City, Kansas, against the University of Kansas Hospital Authority and Health System (KU Health), Lawrence Memorial Hospital, and Epic Systems Corp. over the unlawful accessing of nude patient photographs by a physical therapist. According to the lawsuit, the unnamed physical therapist accessed the files of at least 425 female patients who had breast augmentation and/or other plastic surgery procedures at Plastic Surgery Specialists of Lawrence, an affiliate of Lawrence Memorial Hospital.
The physical therapist was employed by KU Health and accessed patient records even though he had no affiliation with the plastic surgery clinic and did not have a treatment relationship with any of the patients. The physical therapist used his KU Health credentials to access patient records, which included nude clinical before and after photographs, body measurements, and sensitive personally identifiable information. The first unauthorized access occurred in February 2021 and continued until February 2023.
When the privacy breach was detected, the matter was investigated internally, and the physical therapist was fired, although the lawsuit alleges KU Health failed to notify law enforcement about the illegal medical record access. Epic Systems Corp. was named in the lawsuit as the Epic portal permitted patient data sharing between unrelated health systems.
The lawsuit also takes issue with the notification process, claiming KU Health waited two months before issuing notification letters to the affected individuals, who were only notified about the breach in April 2023, despite the unauthorized access being detected in February 2023. The plaintiffs claim the defendants then failed to provide adequate information in the letters about the nature of the breach, including the name of the physical therapist, how many individuals were affected, what private information was accessed, and whether the physical therapist obtained patient data and images.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit names two Jane Doe plaintiffs and was filed by them individually and on behalf of other similarly situated patients. The plaintiffs claim their files included before and after photographs of their fully nude bodies, with one of the plaintiffs claiming her face was visible in the photographs. In addition, the files accessed by the former employee contained names, contact information, dates of birth, health insurance information, and Social Security numbers.
The lawsuit claims the defendants knew or should have known that the physical therapist was accessing patient records without authorization when there was no legitimate treatment relationship with the patients, and the unauthorized access should have been detected quickly, rather than continuing unchecked for two years.
The lawsuit asserts claims of negligence, invasion of privacy-intrusion upon seclusion, breach of implied contract, intentional infliction of emotional distress, negligent training, supervision and retention, breach of express contract, breach of contract as a third-party beneficiary, violation of the Computer Fraud and Abuse Act, violation of the Stored Communication Act, violation of the right to informational privacy under the 14th Amendment to the US Constitution, and violation of the freedom from unreasonable search and seizure under the 14th Amendment.
The lawsuit was filed by the law firm Stueve Siegel Hanson LLP. “There’s a serious problem in the healthcare industry when an unauthorized employee can access patient records at an unaffiliated medical facility with virtually no oversight. We’re pursuing this case to advocate for stronger safeguards around patient data and to hold accountable those who failed to protect it,” said Stueve Siegel Hanson Attorney Austin Moore. The lawsuit seeks a jury trial and compensatory and punitive damages.
