The Ann & Robert H. Lurie Children’s Hospital, based in Chicago, Illinois, has proposed a settlement to resolve a privacy-related class action lawsuit. The lawsuit was filed in response to two privacy breaches in which protected health information (PHI) was accessed by unauthorized employees.
The breach was discovered on November 15, 2019. Lurie Children’s Hospital then launched an investigation into the breach, which discovered that a nursing assistant had been accessing patient records for over a year between September 10, 2018, and September 22, 2019. The records that were accessed included information such as names, dates of birth, addresses, diagnoses, medications, procedures, and appointment details. Once the culprit was determined, their contract of employment was terminated.
Lurie Children’s Hospital sent breach notification letters to the affected patients in December 2019. In the letter, they assured patients that there was no reason to believe that their records were being used maliciously.
This is not the first time that the Lurie Children’s Hospital has been caught up in such a scandal. In 2020, a similar breach was discovered, with a nursing assistant accessing patient records between November 1, 2018, and February 29, 2020. This employee’s contract was also terminated. Affected patients were notified of the breach in May 2020, after which a mother whose 4-year-old daughter’s records had been accessed took legal action against the hospital. The child’s records included details of an examination to investigate suspected sexual abuse.
That lawsuit, Doe v. Lurie Children’s Hospital of Chicago, alleges that the hospital breached its implied contract, failed to monitor employees’ access to medical records, and failed to protect patient records. The Children’s Hospital denied that it was liable for the breach, maintaining that the plaintiff failed to state a claim in the lawsuit for which relief can be granted. The hospital states that the plaintiff failed to show any basis for the assertion that the hospital caused harm, denying any wrongdoing.
Even so, Lurie Children’s Hospital proposed a settlement to end any allegations of wrongdoing. The settlement is not financial, but involves changes to the hospital’s policies to prevent further breaches. This includes increased monitoring of access logs, twice-weekly reviews of audit alerts, and additional training. New procedures will be in place for files related to sexual abuse.
The deadline for objection and exclusion is January 4, 2023. The final approval hearing has been scheduled for January 25, 2023.