HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches

Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent.

The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019.

On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020.

In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The mother sought legal advice on May 8, 2020 to find out how she could ensure that her daughter’s medical records could be better protected in the future and to try to find out more information about how two breaches of this nature could have occurred. A lawsuit was filed by the law firm Edelson P.C in Cook County Circuit Court on May 8, 2020.

The lawsuit alleges a breach of contract, breach of confidentiality, and negligence for failing to supervise staff and ensure her child’s medical records remained private and confidential. The accessing of the plaintiff’s medical records was part of two larger breaches that spanned several months before the unauthorized access was identified. The lawsuit seeks class action status and trial by jury.

Both cases were investigated by the hospital, but no evidence was identified to suggest any patient information was obtained or misused by the employees. After unauthorized access was detected and the incidents were investigated, both employees were disciplined in accordance with the hospital’s policies and they no longer work in the hospital.

The lawsuit seeks damages for all patients affected by the breach, the provision of ongoing credit monitoring services for breach victims and calls for measures to be implemented to prevent further privacy breaches in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.