Settlement Proposal of Lurie Children’s Hospital to Resolve Insider Breach Lawsuit

Ann & Robert H. Lurie Children’s Hospital has offered to settle a class action lawsuit that was filed in relation to two privacy breaches where employees accessed medical records without authorization.

The Chicago hospital found out on November 15, 2019 that an employee was impermissibly viewing patient data. The investigation confirmed the unauthorized access happened from Sept. 10, 2018 until Sept. 22, 2019. The employee working as a nursing assistant accessed patient data that contained names, addresses, birth dates, and medical data, such as diagnoses, prescription drugs, visits, and treatments. Upon confirmation of the unauthorized access, the employee was dismissed from work. Lurie Children’s Hospital informed impacted patients in December 2019 saying there was no indication that their data were further exposed or misused.

The hospital detected an identical breach in 2020. A nursing assistant was found to have accessed patient data without authorization from November 1, 2018 until February 29, 2020, and was likewise dismissed from work. Patients were informed with regard to the breach in May 2020. A mother filed a lawsuit against the hospital for the sake of her 4-year-old daughter, whose health records were impermissibly viewed by two nursing assistants. The records of the little girl contained information about an examination in relation to a suspected sexual abuse investigation.

The Doe v. Lurie Children’s Hospital of Chicago lawsuit claimed the hospital was negligent in its duty to protect patient data; the hospital committed a breach of implied contract and was unable to keep track of employees ’ access to the health records of patients. Lurie Children’s Hospital did not accept liability for the breach and didn’t confess to any wrongdoing and claimed the plaintiff did not state a claim in the lawsuit where relief could be given, as the plaintiff did not show any evidence that the activities of the hospital resulted in any harm.

Lurie Children’s Hospital offered a settlement to end the accusations of wrongdoing. The suggested settlement doesn’t involve any financial benefits, however, the hospital has stated that it will revise its policies and procedures and carry out supplemental safety measures to better secure patient information. Those actions include better tracking of employee access records, which include two times per week assessments of audit notifications, and a responsibility to give employees supplemental training regarding medical record access. The hospital has additionally mentioned that it is going to apply standards for highly sensitive medical data associated with specific treatments, such as examinations for sexual abuse and sexual attack.

January 4, 2023 is the last day for filing an objection and exclusion. The final approval hearing will be on January 25, 2023.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA