Ann & Robert H. Lurie Children’s Hospital has proposed a settlement to resolve a class action lawsuit filed in response to two privacy breaches involving unauthorized medical record access by employees.
On November 15, 2019, the Chicago hospital discovered an employee had been impermissibly accessing patient records. The investigation determined the unauthorized access occurred between Sept. 10, 2018, and Sept. 22, 2019. The employee, a nursing assistant, viewed patient records that included names, addresses, dates of birth, and medical information, including diagnoses, medications, appointments, and procedures. Once the unauthorized access was confirmed, the employee was terminated. Lurie Children’s Hospital notified affected patients in December 2019 and said there was no reason to suggest the information had been further discovered or misused.
A similar breach was detected by the hospital in 2020. A nursing assistant was discovered to have accessed patient records without authorization between November 1, 2018, and February 29, 2020, and was also terminated. Patients were notified about the breach in May 2020. A mother took legal action against the hospital on behalf of her 4-year-old daughter, whose medical records and been impermissibly accessed by the two nursing assistants. Her daughter’s records included details of an examination to investigate suspected sexual abuse.
The lawsuit – Doe v. Lurie Children’s Hospital of Chicago – alleged the hospital had been negligent for failing to protect patient records, the hospital breached its implied contract, and failed to monitor employees’ access to patients’ medical records. Lurie Children’s Hospital denied liability for the breach and did not admit any wrongdoing and maintained the plaintiff failed to state a claim in the lawsuit upon which relief can be granted, as the plaintiff failed to assert any basis that the actions of the hospital caused any harm.
Lurie Children’s Hospital proposed a settlement to put an end to the allegations of wrongdoing. The proposed settlement does not include any monetary benefits, but the hospital has agreed to make changes to policies and procedures and implement additional safeguards to better protect patient data. Those measures include increased monitoring of employee access logs, which include twice weekly reviews of audit alerts, and a commitment to provide employees with additional training on medical record access. The hospital has also stated that it will be applying “break the glass” protocols for highly sensitive medical information related to certain treatments, including evaluations for sexual abuse and sexual assault.
The deadline for objection and exclusion is January 4, 2023. The final approval hearing has been scheduled for January 25, 2023.
The post Lurie Children’s Hospital Proposes Settlement to End Insider Breach Lawsuit appeared first on HIPAA Journal.