Getty Images

Lurie Children’s Hospital Resolves Healthcare Data Breach Lawsuit

Lurie Children’s Hospital agreed to implement additional security measures to settle a healthcare data breach lawsuit.

Chicago-based Lurie Children’s Hospital settled a data breach lawsuit outside of court relating to a security incident that began in 2018. The hospital agreed to implement additional security measures to protect patient health information. Unlike other healthcare data breach settlements, no monetary agreement was made, meaning impacted individuals are not eligible to receive any damages.

In December 2019, Lurie Children’s sent a notice to patients informing them that an employee had improperly accessed patient data without a valid reason between September 2018 and September 2019. The hospital immediately terminated the employee’s access to patient information.

In May 2020, Lurie Children’s notified patients that another employee had improperly accessed patient information “without a work-related reason” between November 2018 and February 2020. That employee’s access was also terminated following the discovery.

The lawsuit, filed by “Jane Doe” on behalf of her child, alleged that Lurie Children’s breached its implied contract and its privacy practices and neglected to supervise its staff appropriately in order to protect sensitive health information.  

Lurie Children’s Hospital denied the allegations and noted that the “plaintiff fails to state a claim upon which relief can be granted including because Plaintiff fails to assert any basis that Lurie Children’s Hospital proximately caused any harm.”

If the court approves the final settlement, Lurie Children’s Hospital will implement more robust security measures, including increased monitoring of employee medical record access via detailed audit logs and additional training on the importance of patient privacy. In addition, the hospital will apply “Break the Glass” protocols to “highly sensitive medical information for certain treatments.”

“These security measures include monitoring of employees’ access of electronic medical records in audit logs, applying a special designation to highly sensitive medical information involving evaluations for sexual abuse or sexual assault, requiring additional confirmations of authorization and monitoring before employees can access this specially designated information, reviewing audit alerts at least twice a week, and requiring additional training on patient privacy and appropriate access for certified nursing assistants,” the settlement agreement continued.

The Court will hold an approval hearing on January 25 to finalize the settlement.

Next Steps

Dig Deeper on Cybersecurity strategies