photo by: Contributed

LMH Health's main campus at 325 Maine St.

A new message from the leader of LMH Health said the hospital properly notified all patients impacted by a breach of health records that now is the subject of a pending class-action lawsuit.

In an email message to various members of the community, LMH President and CEO Russ Johnson said there was a “breach of protected health information” in 2023 that “affected a very small number of our patients.” Johnson said the hospital not only notified patients impacted by the breach, but was the entity that discovered the incident and reported it to state authorities.

As the Journal-World reported on Wednesday, a complaint was filed in U.S. District Court alleging that a physical therapist employed by the University of Kansas Health System used his credentials to electronically access health records of Plastic Surgery Specialists of Lawrence, an affiliate of LMH. The lawsuit alleges that the KU Health employee accessed medical records that included nude photos of patients who had undergone breast augmentation procedures.

While the physical therapist — who has since had their employment terminated by KU Health, according to the complaint — didn’t have a connection to LMH Health, the complaint alleges that LMH Health didn’t properly notify its patients of the breach.

In his email to community partners, Johnson said the hospital has notified all patients who had their records inappropriately accessed, and also reported the matter to state authorities. Johnson said LMH is proactive in protecting patient privacy, including conducting periodic audits of who has accessed patient records.

“LMH periodically audits which staff members access which records, and when we find an outlier, we act,” Johnson said in the message. “In 2023, we immediately terminated access of the individual and initiated an investigation, which showed that while most records accessed were appropriately related to job duties, some were not.

“In instances where we could not confirm that that the access was indeed related to job duties, we notified the patient in writing to make them aware of the categories of information viewed and the date of access. LMH Health also reported the individual to the appropriate authorities with the State of Kansas.”

The complaint lists two patients — Jane Doe 1 and Jane Doe 2 — as patients of the LMH practice who did not receive notification of the breach. In his message, Johnson said LMH received the names of those patients in a separate legal filing, and have investigated whether their records were inappropriately accessed. He said LMH found they were not inappropriately accessed.

“(T)here was no breach of LMH records for either of these two patients,” Johnson said. “This explains why they did not receive a notification from LMH. To be clear, any patient who did not receive written notification from LMH in 2023 can rest assured their records were also not accessed.”

Johnson also said the lawsuit was inaccurate in listing the KU Health employee in question as a physical therapist. Johnson said the employee was not a physical therapist, but Johnson did not say what position the employee held.

In his statement, Johnson did not identify a specific number of patients who had their files breached. Instead, he said it was a number less than 0.004 percent of all LMH patients. The legal complaint, filed by the law firm Stueve Siegel Hanson LLP, is seeking more than $5 million on behalf of at least 425 patients who had undergone various surgeries and procedures at Plastic Surgery Specialists of Lawrence.

The complaint alleges the privacy invasions caused by the breach have resulted in “profound emotional and psychological trauma” to plaintiffs, including persistent anxiety when seeking medical treatment and a loss of trust in confidentiality. The plaintiffs also claim a “debilitating fear” that they are being stalked by the individual who allegedly accessed the records, who they have reason to believe lives in Lawrence.

The complaint alleges 13 legal violations, including computer fraud and abuse, negligence, breach of contract, invasion of privacy, intentional infliction of emotional distress and other claims. It asks the court to certify the matter as a class action and to set it for jury trial.

In addition to the University of Kansas Health System and LMH Health, the electronic records company, Epic Systems Corporation, also has been named as a defendant.

photo by: Submitted

Russ Johnson

Johnson said LMH Health has investigated the records breach incident extensively and has “increased the frequency and depth” of the monitoring LMH Health conducts in terms of records systems.

“This situation provided an opportunity for review and improvement, and we continually update the processes and technical safeguards in place to protect our patients’ information,” Johnson said.

Johnson noted the importance of the audit system LMH uses, which led to the detection of a breach in this matter. He also said all LMH employees receive patient privacy (HIPPA) training at least annually.

“Protecting patient privacy is a complex but high-priority endeavor for the entire healthcare industry, and that is certainly the case for us here at LMH Health,” Johnson said. “Respectfully notifying our patients in the event of such an incident is also of concern to LMH. It’s just one more way in which we care for you and your family.”