Children's Mercy Hospital Sued in the Wake of Large-Scale Data Breach

Phishing emails were the culprit behind a giant data breach at Children's Mercy Hospital that led to the theft of 63,049 patients' confidential information. Although the federal government has not yet sought action in relation to the breach, a private Missouri law firm filed a class action lawsuit against the hospital, seeking damages for those whose personal data was exposed.

The large-scale data breach stemmed from a total of five email compromised emails accounts. Between early December, 2017 and January of the following year, the accounts were accessed by an unauthorized person after employees followed an email link to a phony website and login page, where they entered their user names and passwords. The information may have included patient names, medical record numbers, diagnoses and conditions, and the dates of hospital stays and procedures.

The hospital posted a notification about the breach on its website in January, 2018, as soon as they learned it had happened. However, due to the large number of patients involved, Children's Mercy sent out notification letters to individual patients in batches; it was months before some families learned that their personal information had been compromised.

As the Kansas City Star reported on July 3, 2018, patients expressed frustration that their children's confidential information in particular had been exposed. A spokesperson for the hospital, Lisa Augustine, was quoted in the Star as saying, "The hospital has taken and continues to take steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication."

Although the hospital was not immediately aware of any misuse of the compromised information, it took the precaution of automatically enrolling the patients who were affected by the breach in a year of the AllClear ID program at no cost. Children's Mercy also made a call center and informational webpage available to families looking for answers to questions about how they could potentially be affected by the breach.

The phishing attack was only one in several recent data breaches involving Children's Mercy Hospital between 2017 and 2018. In late June, the Missouri hospital reported an additional breach that compromised 1,463 patients' protected health information to the Department of Health and Human Services' Office for Civil Rights.

This second, smaller breach resulted from another unauthorized access disclosure, this time involving the interception of unencrypted pages physicians sent from hospital while engaged in their normal hospital rounds. An IT worker from Johnson County, Missouri, who was also a radio hobbyist, purchased an inexpensive antenna, which he connected to his laptop in conjunction with a software-defined radio, ostensibly so that he could view television channels for free. By accident, he also intercepted the pages containing sensitive patient information. He was not only able to intercept pages from Children's Mercy but from hospitals as far off as Kentucky and Michigan as well.

Children's Mercy reported yet another incident to the HHS's Office of Civil Rights in May of 2017. In this case, an individual physician uploaded sensitive patient information on to an unauthorized website, one that lacked the appropriate security controls, hoping to create an "educational resource." The incident compromised the protected health information of 5,511 patients.

Less than a year before the December, 2017 and January, 2018 phishing hack, the Kansas City Star reported that Missouri had more medical security breaches than any other state of its size in the country. The phishing attacks, however, led to the second largest medical security breach in the state since 2010.

The Kansas City law offices of McShane and Brady filed a class action suit over the phishing incident in July, 2018, claiming that Children's Mercy had not only breached its fiduciary duty to its patients but was also in violation of Missouri state law. The lawsuit seeks damages for all of the patients who were affected by the data security breach; however, it does not stipulate what the exact nature of the damages is.

"Patients trust health care providers with our medical information and when that is released without our authorization, they're breaking our trust and breaching what we've asked them to do," said Maureen Brady, partner at McShane and Brady, speaking to reporters for HIPAA Journal. "When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept."