Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals.

The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards.

The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals.

Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates, birthdates, procedure dates, procedure and diagnostic codes, brief notes on the patient and their height, weight and body mass index.

The types of information uploaded to the website would not typically allow unauthorized individuals to defraud patients or commit identity theft, but as a precaution, all patients impacted by the incident have been offered identity theft protection services free of charge through AllClear.

The physician who created the website believed the information uploaded to the website had been appropriately secured and was inaccessible by unauthorized individuals. Children’s Mercy Hospital said the website was unauthorized, was not owned by the hospital, and that the creation of the website and uploading of ePHI was a violation of hospital policies. The website has now been taken down.

The incident has prompted Children’s Mercy Hospital to reeducate key staff members on compliance to prevent future incidents of this nature from occurring. Children’s Mercy Hospital has not received any reports to suggest information uploaded to the website has been misused in any way.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.