A class action lawsuit has been filed in the U.S. District Court in Kansas City, Kansas, against several healthcare entities, including the University of Kansas Hospital Authority and Health System (KU Health), Lawrence Memorial Hospital, and Epic Systems Corp.
The lawsuit addresses the illegal access of sensitive patient photographs by a physical therapist employed by KU Health.
Overview of the Lawsuit
The lawsuit claims that the physical therapist accessed the private files of at least 425 female patients, most of whom had undergone breast augmentation or other plastic surgeries at Plastic Surgery Specialists of Lawrence, an affiliate of Lawrence Memorial Hospital.
Despite having no professional connection with the clinic or the patients, the therapist used his KU Health credentials to view private medical records that included nude clinical photos, body measurements, and other personally identifiable information.
The initial breach of privacy occurred in February 2021 and continued until February 2023. The lawsuit further contends that the physical therapist accessed patient records without authorization, exploiting the Epic Systems portal, which allowed data sharing between unrelated healthcare institutions.
Privacy Breach and Investigation
After the breach was detected, KU Health conducted an internal investigation and subsequently terminated the physical therapist’s employment. However, the lawsuit asserts that KU Health failed to notify law enforcement about the unauthorized access.
Furthermore, the plaintiffs claim that KU Health did not inform the affected individuals in a timely manner. While the breach was discovered in February 2023, the affected patients were not notified until April 2023, a delay of two months.
The plaintiffs argue that the notification letters provided insufficient information about the breach, such as the identity of the therapist, the number of affected patients, the nature of the data accessed, and whether the therapist used the information for personal gain.
Details of the Breached Data
The plaintiffs include two Jane Doe plaintiffs, who filed the lawsuit both individually and on behalf of other similarly affected patients.
The breached data reportedly contained highly sensitive information, including before and after photographs of nude bodies, with one plaintiff alleging that her face was visible in the photos.
In addition to the visual data, the records accessed by the therapist also contained names, birthdates, contact information, health insurance details, and Social Security numbers.
Claims and Allegations Against the Defendants
The lawsuit alleges that KU Health, Lawrence Memorial Hospital, and Epic Systems Corp. should have detected the unauthorized access much earlier, given the lack of any legitimate treatment relationship between the physical therapist and the affected patients.
The case claims that the unauthorized access should have been identified sooner rather than continuing unchecked for nearly two years.
The plaintiffs assert several legal claims, including:
- Negligence
- Invasion of privacy (intrusion upon seclusion)
- Breach of implied contract
- Intentional infliction of emotional distress
- Negligent training, supervision, and retention
- Breach of contract as a third-party beneficiary
- Violation of the Computer Fraud and Abuse Act
- Violation of the Stored Communication Act
- Violation of the right to informational privacy under the 14th Amendment to the U.S. Constitution
- Violation of the freedom from unreasonable search and seizure under the 14th Amendment
Law Firm’s Statement and Legal Action
The law firm Stueve Siegel Hanson LLP, representing the plaintiffs, highlighted the severe lack of oversight in the healthcare industry regarding unauthorized access to patient data.
Attorney Austin Moore emphasized, “This case seeks to address the significant issue in the healthcare sector where unauthorized personnel can easily access patient information across unaffiliated medical facilities, with little to no monitoring.
We are pushing for stronger safeguards to protect patient data and hold accountable those who have failed in their responsibility to protect it.”
The lawsuit seeks compensatory and punitive damages and has called for a jury trial.
The lawsuit filed against KU Health, Lawrence Memorial Hospital, and Epic Systems Corp. exposes a major failure in safeguarding patient data, highlighting the lack of oversight in medical record access.
With claims ranging from negligence to emotional distress, the plaintiffs seek justice and stronger protections for patient data in the healthcare industry.