Getty Images

Indiana AG Sues IU Health For Violating Patient Privacy of 10-Year-Old Rape Victim

According to the lawsuit, IU Health failed to protect patient privacy and committed HIPAA violations after a doctor disclosed a 10-year-old rape victim’s abortion story to the press.

Indiana Attorney General Todd Rokita filed a lawsuit against the University of Indiana Health (IU Health) and IU Healthcare Associates over their alleged failure to safeguard patient privacy and abide by HIPAA and Indiana state law. The case arose in June 2022 when a 10-year-old rape victim and her mother sought abortion care at an IU hospital and faced a front-page news story in the Indianapolis Star detailing their case, while still in recovery at the hospital.

“The news story quoted the girl’s doctor. The 10-year-old's treatment was a very private and sensitive matter, as was the abuse she suffered that resulted in her pregnancy,” the lawsuit stated. “Neither the 10-year-old nor her mother gave the doctor authorization to speak to the media about their case.”

The Indianapolis Star story contained specific details about how far along the patient was in her pregnancy, and was soon picked up by national news outlets. President Biden even spoke about the incident in a speech to make the case for abortion exceptions for rape and incest, the lawsuit noted.

What’s more, hospital administrators allegedly doubled down on the action by emailing multiple media outlets and stating that the doctor was in compliance with privacy laws according to the hospital’s internal review.

“Rather than protecting the patient, the hospital chose to protect the doctor, and itself,” the lawsuit alleged.

In May 2023, the Indiana Medical Licensing Board conducted a hearing and determined that the doctor had violated HIPAA by improperly de-identifying patient data and disclosing patient information. The Board also determined that the doctor had violated the Indiana patient confidentiality rule by failing to obtain patient permission before disclosing information.

The lawsuit alleged seven counts against IU Health, including failure to mitigate harm, to train the workforce, to notify patients of a breach, to implement and document sanctions, to document disclosures of personal health information, and to implement administrative, technical and physical safeguards. The lawsuit also alleged violations of Indiana’s Deceptive Consumer Sales Act.

“Doctors and all health care professionals should be able to rely on their employers and patients should be able to trust their doctors,” Rokita said. “When a hospital or other healthcare provider makes your private medical information public, that trust is decimated. As a result, the quality, delivery, and sustainability of our healthcare is significantly weakened.” 

Next Steps

Dig Deeper on Health data access & privacy