Class Action Lawsuit Filed Against KU Health Alleging Security Breach Led to ‘One of the Most Devastating Kinds of Privacy Violations Imaginable’ for Hundreds of Women
If you believe that your personal information may have been compromised in this breach, please contact our team at 888-756-6499, or fill out a contact form below.
Stueve Siegel Hanson LLP Files Lawsuit Against the University of Kansas Health System, Lawrence Memorial Hospital, and Epic Systems Corporation.
KANSAS CITY, Mo. – April 16, 2025 – Stueve Siegel Hanson LLP has filed a class action lawsuit against The University of Kansas Health System (“KU Health”), Lawrence Memorial Hospital (“Lawrence Memorial”), and Epic Systems Corporation (“Epic”) on behalf of more than 400 women whose highly sensitive medical records — including potentially nude clinical photographs, body measurements, and other private information — were unlawfully accessed by a KU Health employee with no connection to their care.
The lawsuit alleges that beginning as early as February 2021, a physical therapist employed by KU Health used his employer-provided access to Epic’s electronic medical record system to target and view the medical records of women who had undergone augmentation surgeries and procedures at the clinic.
The physical therapist — who had no affiliation to Lawrence Memorial or its plastic surgery clinic and who had never previously provided treatment to the victims — was able to access and obtain highly sensitive information without detection by KU Health or Lawrence Memorial and without alerting or flagging by Epic for a period of more than two years.
“The violation of privacy suffered by these patients is nothing short of devastating,” said Stueve Siegel Hanson partner Austin Moore. “There’s a serious problem in the healthcare industry when an unauthorized employee can access patient records at an unaffiliated medical facility with virtually no oversight. We’re pursuing this case to advocate for stronger safeguards around patient data and to hold accountable those who failed to protect it.”
In April 2023, KU Health notified affected patients by letter that an employee had accessed their information “outside of their job duties” and had been terminated. However, the letter omitted critical details about the nature and motive of the breach, leaving many patients unaware of the full extent of what occurred.
“We believe most victims are unaware they were targeted specifically as female plastic surgery patients,” Moore said.
The lawsuit asserts claims for negligence, invasion of privacy, civil rights violations, and violations of the Computer Fraud and Abuse Act and the Stored Communications Act, among other claims.
The Plaintiffs and class are represented by Austin Moore, Larkin Walsh and Benjamin Stueve of Stueve Siegel Hanson LLP. The lawsuit was filed in the U.S. District Court for the District of Kansas.
A copy of the full Complaint is available here.
Stueve Siegel Hanson attorneys have represented data breach victims in many of the largest data breach cases in history, including cases against Equifax, T-Mobile, and Capital One. The firm's Data Breach and Privacy class action practice has received local and national recognition, including being named among Law360's Cybersecurity & Privacy Practice Groups of the Year.
Data Breach Class Action Lawsuit Against University of Kansas Health System, Lawrence Memorial Hospital and Epic Systems Corporation
