Health Care

Thousands of patients' data stolen after Children's Mercy employees fall for scam

File photo

Personal data from more than 60,000 individuals may have been compromised as part of an email phishing scam that targeted Children’s Mercy Hospital employees.

The emails sent to employees gave the appearance they were from a trusted source and often contained links to a phony login page on a fake website, the hospital said. That gave hackers access to the employee accounts if they entered their usernames and passwords.

The compromised data may have included patient names and information, medical record numbers, dates of hospital stays and procedures, diagnoses and conditions and other clinical information, according to a letter sent from Children's Mercy to those affected.

While the hospital posted a notification about the incident on its website in January, families in the area are still getting notices that their information may have been compromised.

When Devin Wilson of Lenexa received a letter from Children's Mercy in the mail earlier this week, he thought it was a bill.

"We do quite a bit of business with Children's Mercy — we've got two kids," Wilson said.

"As parents, our information has been compromised before, things like email passwords or store credit cards once in awhile. But to have our kids' information, potentially health and medical records and other personal information breached is really frustrating. ... Hopefully, just a small thing. Hopefully it's not tens of thousands of patients."

Children's Mercy spokeswoman Lisa Augustine said in an email to The Star: "The hospital identified 63,049 individuals that were potentially affected, which includes a subset of patients. The information involved varied.

"Because the email accounts had a large amount of data that had to be evaluated, we have notified individuals in groups as we progressed through the process. The hospital has taken and continues to take steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication."

Children's Mercy said its IT team discovered unauthorized access to multiple employee email accounts in December 2017 and January 2018. The letter said the hospital is investigating the incidents, notifying patients, and is not aware of specific misuse of the patient information.

As a precaution, Children's Mercy automatically enrolled the affected patients in the AllClear ID program for a year at no cost, the letter said. Augustine said Children's Mercy has established a call center (1-855-354-4116) and an informational webpage to provide answers to families that may have been affected.

This isn't the only data breach of Children's Mercy in recent years, but it's the largest. And it's the second largest of any health care-related breach in Missouri since 2010.

In 2017, the hospital reported that more than 5,500 patients' personal details could have been compromised after a physician created an "educational resource" believing the information was password-protected.

In 2016, a few hundred Children's Mercy patients' medical records were stolen from an employee's car, Becker’s Hospital Review reported.

Last year, The Star reported that major breaches of medical privacy happened more often in Missouri than in any other state its size over the past two years. The lapses potentially exposed sensitive medical information, left patients at risk for identity theft and could lead to hefty fines from the U.S. Department of Health and Human Services Office of Civil Rights.

Health care providers must report any medical privacy breach that involves at least 500 patients to the federal government.

An online database maintained by the Office of Civil Rights shows that Children's Mercy reported the breach to the government on Jan. 31. It reported another breach of 1,463 individuals' information on June 27.

Related stories from Kansas City Star