Threat Management, Risk Assessments/Management, Privacy

Children’s hospital required to improve security in breach settlement

A general view of a gala benefit for Ann & Robert H. Lurie Children’s Hospital of Chicago on April 20, 2012. (Photo by Jeff Schear/Getty Images for Ann and Robert H. Lurie Hospital of Chicago)
The Ann & Robert H. Lurie Children's Hospital of Chicago reached a settled a lawsuit with parents of patients affected by data breaches caused by employees. (Photo by Jeff Schear/Getty Images for Ann and Robert H. Lurie Hospital of Chicago)

A settlement has been reached in the lawsuit filed against Ann & Robert H. Lurie Children’s Hospital of Chicago, filed by parents of patients affected by two data breaches caused by employee wrongdoing.

Instead of the common multi-million dollar monetary benefit, the settlement only includes non-financial relief focused on ensuring Lurie Children’s improves the state of its security program. 

Under the terms of the settlement, Lurie Children’s is required to increase its monitoring of employee access, improve data protection measures, and provide additional employee training on handling medical records.

The proposal is a welcome change in an era where healthcare data breach lawsuits are far too common and monetary benefits provide little, if any, relief to impacted patients.

The lawsuit was filed after reports that an Ann & Robert H. Lurie Children’s Hospital of Chicago employee improperly accessed patient medical records for about a year between Sept. 10, 2018, and Sept. 22, 2019. Upon discovery, the hospital terminated the employee’s access.

The settlement will resolve claims that the failure to protect patient data was caused by the hospital’s negligence. The allegations stemmed from two insider wrongdoing incidents reported by the hospital in 2020.

In the first instance, a former nursing assistant improperly accessed patient medical records over the course of a year between September 2018, and September 2019. The access was not discovered by the hospital until Nov. 15 of that year, prompting officials to terminate the employee’s access to patient information.

An investigation into the incident revealed the employee viewed patient names, contact details, dates of birth, and medical data, including diagnoses and medications. The employee was not able to access Social Security numbers, insurance information, or financial account details. 

The employee was let go from the hospital and the issue was addressed “in accordance with its disciplinary policies.” Lurie Children’s officials apologized to patients for the privacy breach and promised to retrain staff on appropriate access requirements for patient records to prevent a recurrence.

However, yet another insider wrongdoing incident was detected by the hospital the following year, which occurred between Nov. 1, 2018, and Feb. 29, 2020. The nursing assistant who accessed the patient records without authorization was fired.

In response, a parent whose child had their information accessed by the two nursing assistants filed a lawsuit against the hospital for what they claimed were security failures, including failing to properly monitor employee access to patient data and breach of implied contract.

The court ruled the lawsuit failed to provide evidence that any harm was actually caused by the incident, and Lurie Children’s denied they were liable for the incident. The settlement aims to end the litigation and provide tangible relief, in the form of security improvements to ensure there is no recurrence.

A final hearing to certify the proposed settlement is scheduled for Jan. 25, 2023.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.