Children’s Mercy Hospital Prosecuted for 63,000-Record Data Breach


Lawful action has been taken over a phishing attack on Children’s Mercy that led to the thievery of 63,049 patients’ PHI.

Altogether, five electronic mail accounts were undermined between December 2017 and January 2018. On December 2, 2017 two electronic mail accounts were found to have been retrieved by an illegal person as a consequence of workers replying to phishing electronic mails. Links in the electronic mails directed the workers to a website where they were deceived into revealing their electronic mail account identifications. Two weeks later, two more electronic mail accounts were undermined in a similar attack, with a fifth and final account compromised in early January.

The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, leading to the illegal revelation of patients’ PHI. Patients were informed of the breach through an additional breach notice on the Children’s Mercy website and notice letters were dispatched by post. Because of the number of people impacted, the letters were dispatched in bunches. As per the latest article in the Kansas City Star, some patients have just been informed that their PHI was thieved.

In addition to the phishing attack, Children’s Mercy Hospital informed an additional breach of 1,463 patients’ PHI to the Division of Health and Human Services’ Office for Civil Rights on June 27, 2018 – an illegal access revelation occurrence. That occurrence linked to the interception of unencrypted pages propelled by doctors at the hospital. The pages were seen by a radio hobbyist using an aerial and a software-defined radio (SDR) on a laptop computer. Children’s Mercy wasn’t the only hospice affected by that occurrence.

An illegal access/disclosure occurrence was also informed to OCR by Children’s Mercy Hospital on May 19, 2017. That occurrence impacted 5,511 patients. In that instance, PHI had been uploaded to a website by a doctor. The website was illegal and lacked correct safety controls.

Earlier this week, Kansas City law company McShane and Brady recorded a class action court case over the phishing occurrence. In the court case, it’s demanded that Children’s Mercy violated Missouri law and breached its fiduciary responsibility to patients.

“Patients trust health care suppliers with our medical information and when that is released without our approval, they’re breaking our confidence and violating what we have asked them to do,” said Maureen Brady, a partner at McShane and Brady. “When we pay them for our cure, a portion of that price point goes to training and computer software and files maintenance and making certain our secrecy is maintained.”

While the court case seeks damages for all patients impacted by the breach, those damages haven’t been expressed in the court case.

This is not the first time that lawful action has been taken against Children’s Mercy Hospital over a secrecy breach, and neither is it the first time McShane and Brady have prosecuted the hospital. The law company also filed a class action court case over the 5,511-record breach in 2017.

There is no personal cause of action in HIPAA, therefore it’s impossible for patients to take lawful action for the revelation of PHI as a consequence of a HIPAA violation, even though it’s possible to prosecute healthcare suppliers over violations of state rules.