Lawrence (Kan.) Memorial Hospital confirmed a patient privacy breach that occurred in 2023, affecting fewer than 0.004% of its patients, according to a message from President and CEO Russ Johnson.
The breach involved an employee of Kansas City-based University of Kansas Health System who accessed patient records outside the scope of their job responsibilities. The individual was not a physical therapist, Mr. Johnson noted in a statement shared with Becker’s.
“Access in this particular situation fell outside of our policy, which limits healthcare workers’ authority to access our patients’ records to those necessary for the care of the patient,” Mr. Johnson said.
The hospital said it identified the breach through internal monitoring and immediately revoked the individual’s access. An investigation determined that most of the accessed records were related to the individual’s job duties, but a subset could not be verified. Affected patients were notified in writing and provided with details about what categories of data were viewed and when.
The breach did not affect two individuals identified as Jane Doe 1 and Jane Doe 2 in an April 15 lawsuit filed in the U.S. District Court of Kansas. The suit names LMH Health, Epic and the University of Kansas Health System. LMH Health said the individuals were not notified because their records were never accessed.
“To be clear, any patient who did not receive written notification from LMH in 2023 can rest assured their records were also not accessed,” Mr. Johnson said.
In response to the incident, LMH Health has increased monitoring efforts and expanded audits to better control and limit system access.
