Epic Systems Data Breach (2024)

"A class action lawsuit has been filed against the University of Kansas Health System, Lawrence Memorial Hospital in Kansas, and Epic Systems by two women who had their nude images and sensitive health information accessed by a physical therapist without authorization when there was no treatment relationship with the patients. Over a period of two years, an unnamed physical therapist employed by the University of Kansas Health System used his login credentials to access the nude photographs of breast augmentation patients. The patients had received services at Plastic Surgery Specialists of Lawrence, an unrelated plastic surgery clinic. The privacy breach was identified by the University of Kansas Health System on or around February 22, 2023. Following an investigation, the physical therapist was terminated, and the affected patients were notified about the privacy breach two months later. The patients were informed that a University of Kansas Health System employee had been discovered to have accessed their health information outside of his job duties between February 2021 and February 2023. Plastic Surgery Specialists of Lawrence is affiliated with Lawrence Memorial Hospital, although neither entity is affiliated with the University of Kansas Health System. The physical therapist should not have been able to access patient data at either of those two entities; however, it was possible through Epic’s health information exchange platform, Care Everywhere, which allows data sharing with healthcare providers across the state of Kansas. According to the lawsuit, the two Jane Doe patients never sought or received medical treatment at the University of Kansas Health System and never sought or received any treatment from the physical therapist. The lawsuit claims the physical therapist accessed photographs of women who had breast augmentation and other related procedures. In addition to nude photographs, the physical therapist accessed detailed body measurements and other sensitive health information. The plaintiffs claim that the University of Kansas Health System attempted to downplay the incident by issuing a non-descript breach notification letter, failed to disclose the true nature of the privacy violations, and did not report the matter to law enforcement. The lawsuit claims that at least 425 patients, most likely female, who had undergone surgeries and procedures at Plastic Surgery Specialists of Lawrence had their photographs and other sensitive information viewed by the physical therapist."