The University of Kansas Hospital Authority, Lawrence Memorial Hospital, and Epic Systems Corp. are facing a class action lawsuit. Filed on April 15, the suit involves two patients who claim their private medical data was breached by a physical therapist. The breach affected over 400 individuals, primarily women who had undergone breast augmentation and other surgeries. The therapist, employed by KU Health, accessed highly sensitive information from the patients’ medical files without having any legitimate treatment relationship with them.
The lawsuit highlights that the therapist used KU Health credentials to access intimate data, including nude clinical photographs and body measurements, for over two years. KU Health failed to take appropriate action when they became aware of the breach. The lawsuit alleges that the hospital did not notify law enforcement or patients immediately after the breach was discovered. Instead, patients were informed two months later, and the hospital did not provide clear details about the extent of the breach.
The plaintiffs’ medical files contained deeply personal information, such as Social Security numbers, body measurements, and before-and-after photos from surgeries. The lawsuit claims that KU Health’s lack of oversight allowed the therapist to exploit the patients’ private data unchecked. KU Health also allegedly failed to offer full transparency regarding the breach, leaving patients uncertain about the number of individuals affected and whether their data was copied or just viewed by the therapist.
The class action includes multiple legal claims, such as violations of privacy laws, negligence, and violations of both the Computer Fraud and Abuse Act and the Stored Communications Act. The plaintiffs are suing KU Health for failing to prevent the breach and for mishandling the aftermath. Lawrence Memorial Hospital and Epic Systems Corp. are also named in the lawsuit for their roles in the breach, with claims of negligent practices and breach of contract.
Reference: