The University of Kansas Health System, Lawrence (Kan.) Memorial Hospital and Epic Systems are facing a class-action lawsuit after a physical therapist allegedly accessed the private medical records of more than 400 patients without authorization, The Topeka Capital-Journal reported April 16.

Filed April 15 in the U.S. District Court of Kansas, the lawsuit alleges the therapist — employed by Kansas City, Kan.-based University of Kansas Health System — used his credentials to view sensitive information, including nude photographs and body measurements, over a two-year period at Lawrence Memorial Hospital’s plastic surgery clinic.

KU Health fired the therapist after discovering the alleged breach but did not notify law enforcement or promptly inform affected patients, according to the complaint.

Two months later, the health system sent letters to patients notifying them of the breach. However, the lawsuit claims the notifications lacked key information, including the therapist’s name, the number of patients affected, what specific information was accessed, and whether the data was copied or merely viewed.

The plaintiffs, two unnamed patients, accuse the organizations of negligence, invasion of privacy, and failure to uphold contractual and constitutional protections. The lawsuit also cites alleged violations of federal laws including the Computer Fraud and Abuse Act and the Stored Communications Act.

“LMH Health was made aware this morning that it is one of three parties named in a lawsuit alleging violations of patient privacy. While we can’t comment on ongoing legal action, we want to reassure our patients and community that we take any suspected violation of patient privacy extremely seriously,” a spokesperson for Lawrence Memorial said in an emailed statement to Becker’s . “This claim is under review by legal counsel, and we will keep the community apprised of any additional facts we can share as they become available.”

“The University of Kansas Hospital is one of three parties named in a lawsuit alleging violations of patient privacy. We take this seriously; patient privacy is very important to us. We just received the complaint, and our teams are reviewing it currently,” a KU Health spokesperson said in an emailed statement to Becker’s .

Becker’s has reached out to Epic and will update this story if more information becomes available.