Lurie Children's Hospital of Chicago is being sued by the parent of a pediatric patient over two recent data breaches.
An anonymous plaintiff and her 4-year-old daughter filed a complaint against the hospital and two former employees in the Circuit Court of Cook County, Illinois, on May 8.
Mother and daughter, referred to as Jane Doe and Baby Doe, are seeking class-action status and a trial by jury with the support of law firm Edelson P.C.
In the suit, the plaintiffs accuse Lurie of breach of contract, breach of confidentiality, and negligent supervision for allegedly failing to keep Baby Doe's medical records safe.
Jane Doe received a letter on December 24, 2019, informing her that her daughter's records had been accessed by an unnamed nursing assistant without authorization between September 10, 2018, and September 22, 2019.
Baby Doe, then aged 3, had been taken to Lurie for an examination after her mother developed a suspicion that the toddler had become a victim of sexual abuse.
The suit alleges that Baby Doe's records were accessed as part of a larger data breach in which thousands of patients’ names, addresses, dates of birth, and medical information like diagnoses, medications, appointments, and procedures were accessed without authorization.
Lurie fired the employee at the center of the cybersecurity incident after the breach was detected. The hospital stated at the time that no evidence had been found to suggest the employee had misused or shared any patient data.
On Monday, May 4, Jane Doe was notified of a second data breach concerning her daughter's medical records by Lurie. The hospital said that Baby Doe's records were accessed without authorization by another unnamed hospital worker between November 1, 2018, and February 29, 2020.
The plaintiffs allege that Lurie failed to state what action would be taken to ensure the security of the patient’s medical records.
In a statement, Lurie spokesperson Julie Pesch said: “In December 2019 and May 2020, Lurie Children’s notified some of our patients about two nurse assistants who had accessed certain patients’ medical records without an identified patient need. We have no reason to suspect any misuse of patient information associated with this incident. Lurie Children’s addressed this issue in accordance with our disciplinary policies, and the employees no longer work for the Hospital.”