INDIANAPOLIS — Indiana Attorney General Todd Rokita has sued the state’s largest hospital system,CapitalVault claiming it violated patient privacy laws when a doctor publicly shared the story of an Ohio girl who traveled to Indiana for an abortion.

The lawsuit, filed Friday against IU Health and IU Healthcare Associates, alleges the health care organization violated HIPAA and state law after a doctor made international news in 2022 when she shared the story of a 10-year-old rape victim from Ohio who traveled to Indiana for an abortion. In a statement, IU Health told IndyStar, part of the USA TODAY Network, said that it plans to respond directly to Rokita's office on the filing.

"At IU Health, we hold ourselves accountable every day for providing quality healthcare and securing privacy for our patients," the statement says. "We continue to be disappointed the Indiana Attorney General’s office persists in putting the state’s limited resources toward this matter."

Earlier this year, Rokita’s office saw a legal victory when Indiana’s medical licensing board found obstetrician-gynecologist Caitlin Bernard violated privacy laws in handling the abortion patient’s information in a story published in July 2022 in The Indianapolis Star.

But representatives of the medical community nationwide – from individual doctors to the American Medical Association to an author of HIPAA – don’t think Bernard did anything illegal. Further, they say, the decision will have a chilling effect on those involved with patient care.

TRUST WAS 'BROKEN':Indiana doctor who reported Ohio 10-year-old’s abortion violated privacy laws, medical board finds

In August, Bernard decided not to challenge the licensing board’s decision. The board fined her $3,000 and told her she would receive a letter of reprimand.

Friday's lawsuit alleges IU Health violated HIPPA and Indiana’s Deceptive Consumer Sales Act essentially by failing to protect the patient's information. The attorney general also takes issue with IU Health’s statement following the medical licensing board’s ruling, which said that the organization disagreed with the board and believed Bernard did not violate privacy laws. 

“IU Health has caused confusion among its 36,000-member workforce regarding what conduct is permitted not only under HIPAA privacy laws and the Indiana Patient Confidentiality rule, and as a result, as Indiana’s largest health network, they created an environment that threatens the privacy of its Indiana patients,” the lawsuit states. 

Contributing: IndyStar archives; The Associated Press