Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information.

In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January.

The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent article in the Kansas City Star, some patients have only just been notified that their PHI was stolen.

In addition to the phishing attack, Children’s Mercy Hospital reported a further breach of 1,463 patients’ PHI to the Department of Health and Human Services’ Office for Civil Rights on June 27, 1018 – an unauthorized access disclosure incident. That incident related to the interception of unencrypted pages sent by physicians at the hospital. The pages were viewed by a radio hobbyist using an antenna and a software-defined radio (SDR) on a laptop computer. Children’s Mercy was not the only hospital affected by that incident.

An unauthorized access/disclosure incident was also reported to OCR by Children’s Mercy Hospital on May 19, 2017. That incident impacted 5,511 patients. In that case, PHI had been uploaded to a website by a physician. The website was unauthorized and lacked appropriate security controls.

Earlier this week, Kansas City law firm McShane and Brady filed a class action lawsuit over the phishing incident. In the lawsuit it is claimed that Children’s Mercy violated Missouri law and breached its fiduciary duty to patients.

“Patients trust health care providers with our medical information and when that is released without our authorization, they’re breaking our trust and breaching what we’ve asked them to do,” said Maureen Brady, partner at McShane and Brady. “When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept.”

While the lawsuit seeks damages for all patients impacted by the breach, those damages have not been stated in the lawsuit.

This is not the first time that legal action has been taken against Children’s Mercy Hospital over a privacy breach, and neither is it the first time McShane and Brady has sued the hospital. The law firm also filed a class action lawsuit over the 5,511-record breach in 2017.

There is no private cause of action in HIPAA, so it is not possible for patients to take legal action for the exposure of protected health information as a result of a HIPAA violation, although it is possible to sue healthcare providers over violations of state laws.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.