A KU Health therapist is accused of exploiting cross-system access to view private patient photos and records, prompting a major privacy lawsuit.
What happened
A class action lawsuit has been filed against the University of Kansas Health System (KU Health), Lawrence Memorial Hospital (LMH), and health software provider Epic Systems Corporation. The suit alleges that a physical therapist employed by KU Health unlawfully accessed the medical records and, in some cases, nude clinical photographs of more than 400 patients who were treated at an unaffiliated hospital in Lawrence, Kansas.
The lawsuit, filed in the U.S. District Court in Kansas City, focuses on two patients, “Jane Doe #1” and “Jane Doe #2,” who were notified of the breach in 2023. KU Health has acknowledged receiving the complaint and stated it is under review.
Going deeper
According to the Kansas City-based law firm Stueve Siegel Hanson LLP, the privacy violations began in February 2021 and continued undetected for two years. The physical therapist used his KU Health credentials to access patient records through Epic’s portal, targeting at least 425 individuals who had undergone procedures at Plastic Surgery Specialists of Lawrence, despite having no medical involvement with the individuals.
The lawsuit indicates a broader systemic issue: Epic’s technology reportedly allowed data sharing between unrelated healthcare institutions without adequate oversight. The plaintiffs claim KU Health failed to properly restrict employee access and that the hospital’s delayed and vague notification in 2023 left many victims uncertain about the severity of the breach.
Both plaintiffs had pre- and post-operative photographs taken during their care at LMH. Those images were allegedly viewed by the unauthorized employee.
The suit asserts multiple claims, including negligence, invasion of privacy, civil rights violations, and breaches of federal computer and communications laws. It seeks compensatory and punitive damages and calls for a jury trial.
What was said
Attorney Austin Moore of Stueve Siegel Hanson stated, “There’s a serious problem in the healthcare industry when an unauthorized employee can access patient records at an unaffiliated medical facility with virtually no oversight. We’re pursuing this case to advocate for stronger safeguards around patient data and to hold accountable those who failed to protect it.”
In public statements, both KU Health and LMH reiterated their commitment to protecting patient privacy. KU Health confirmed it had terminated the employee and is reviewing the lawsuit. LMH said that it takes suspected privacy violations seriously and is currently reviewing the legal claims.
LMH Health President and CEO Russ Johnson added, “Protecting patient privacy is a complex but high-priority endeavor for the entire healthcare industry… Respectfully notifying our patients in the event of such an incident is also of concern to LMH. It’s just one more way in which we care for you and your family.”
The big picture
At its core, this case proves a growing disconnect between the convenience of shared digital health systems and the responsibility to protect deeply personal information. When access is easy but oversight is weak, patients are the ones left exposed. It’s not just about one therapist or one hospital, it’s about how the systems we trust with our most vulnerable moments can quietly fail us. And when they do, the burden often falls on the victims to seek answers that should never have been needed in the first place.
FAQs
What legal protections exist for patients in cases of unauthorized record access?
Patients are protected under HIPAA, which prohibits unauthorized access to personal health information. Violations can lead to civil penalties, criminal charges, and lawsuits.
Can healthcare staff access records from other hospitals using Epic?
Yes, depending on how Epic is configured, employees may access records from other institutions if data-sharing permissions are not properly restricted.
How quickly should patients be notified after a data breach?
HIPAA requires notification within 60 days of discovering a breach, but delays or vague notices may violate regulatory standards and erode trust.
What are the potential consequences for KU Health and Epic Systems?
They could face financial penalties, court-ordered reforms, and reputational damage if found negligent in safeguarding patient data or controlling system access.
What steps can patients take if they believe their privacy was violated?
Patients can file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights or seek legal counsel for potential civil action.
Farah Amod
