$190M Lawsuit Over Potential HIPAA Privacy Violations Settled by Johns Hopkins Health System

by | Jul 23, 2014

A civil action lawsuit arising from HIPAA violations caused by a physician at the Johns Hopkins Health System has been settled for a $190 million.

The settlement arose due to a HIPAA Privacy Rule violation caused by an obstetrician and gynecologist who had used a concealed camera to take photographs and videos of his patients during examinations.

The physician used a pen-like device to take 140 inappropriate pictures and approximately 1,200 videos of his patients, according to the findings of a review into professional misconduct.

Dr. Nikita Levy, M.D., had been employed at the hospital for more than 20 years, but in early 2013 another hospital staff member alerted management about a device that Levy was seen wearing around his neck during patient examinations. While the device looked like a pen, the member of staff believed that it was actually a camera.

The matter was made known to hospital’s Information Security Department and Levy was interviewed in his office by security staff. They found a number of devices which they believed to be hidden cameras and they asked the physician to hand over all of these devices, which he did.

An review of into the matter was begun, but a few days later Levy committed suicide. Law enforcement was notified and a search of the physician’s home was complete where they found a number of images and videos of the bodies of his patients, most of which were unidentifiable. The material was located on a multiple servers in the physician’s home, although according to a representative of Johns Hopkins, “Thankfully, law enforcement found no indication that any images were ever shared.”

Information Security Group was advisedd by Johns Hopkins that action has been taken to enhance privacy standards at the hospital since the physician’s actions were uncovered. The spokesperson said “We have implemented numerous steps to educate, inform and empower our staff to identify and alert us if they have any concerns. We also conducted a comprehensive initial inspection of our facilities and continue to conduct random inspections.”

A release on the hospital website said, “We have come to an agreement that the plaintiffs’ attorneys and Johns Hopkins Health System believe is fair and properly balances the concerns of thousands of plaintiffs with obligations the Health System has to provide ongoing and superior care to the community. It is our hope that this settlement – and findings by law enforcement that images were not shared – helps those affected achieve a measure of closure.”

The settlement covers “more than 7,000 unique registrants,” and according to the hospital, many of these were underage. As per the HIPAA breach notification rules, the hospital issued letters to all concerned alerting them of an invasion of their privacy and posted an official notice to the media, although it is not clear whether the matter was reported to the OCR or if the hospital considers this to be a violation of HIPAA or just a violation of patient privacy.

Under HIPAA regulations, personally identifiable material, including physical records, electronic medical records and personal identifiers are classed as PHI, which includes images and photos. These are classified as PHI if a patient can be recognized from the images. It could be claimed that even if the patients’ faces were not on the videos or images, they may still have been identifiable, and it is therefore possible that HIPAA laws have been breached.

What is not obvious is whether it is reasonable to expect the hospital to have taken action to avoid the incident occurring. Healthcare providers can certainly put in pace safeguards to prevent staff from violating HIPAA, such as providing training and advising the staff that it is not permissible to capture photographs of patients – for non-medical reasons – or to take PHI for personal use. Whether this would have stopped the doctor from taking the photographs will remain unknown.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy