Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches
Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent.
The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019.
On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020.
In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The mother sought legal advice on May 8, 2020 to find out how she could ensure that her daughter’s medical records could be better protected in the future and to try to find out more information about how two breaches of this nature could have occurred. A lawsuit was filed by the law firm Edelson P.C in Cook County Circuit Court on May 8, 2020.
The lawsuit alleges a breach of contract, breach of confidentiality, and negligence for failing to supervise staff and ensure her child’s medical records remained private and confidential. The accessing of the plaintiff’s medical records was part of two larger breaches that spanned several months before the unauthorized access was identified. The lawsuit seeks class action status and trial by jury.
Both cases were investigated by the hospital, but no evidence was identified to suggest any patient information was obtained or misused by the employees. After unauthorized access was detected and the incidents were investigated, both employees were disciplined in accordance with the hospital’s policies and they no longer work in the hospital.
The lawsuit seeks damages for all patients affected by the breach, the provision of ongoing credit monitoring services for breach victims and calls for measures to be implemented to prevent further privacy breaches in the future.
