Health Care

Children’s Mercy faces class action lawsuit over data breach affecting thousands

A Kansas City law firm filed a class action lawsuit this week against Children’s Mercy Hospital after personal data from more than 60,000 individuals may have been compromised as part of an email phishing scam that targeted hospital employees.

The suit, which was filed Tuesday in Jackson County Circuit Court, is the fourth lawsuit filed by the firm McShane and Brady over the disclosure of patient medical records by the hospital.

"I thought I was making the best decision for my child by taking him to Children’s Mercy for care," said one of the suit's plaintiffs in a statement through an attorney. "This is the second letter I have received stating his private medical information has been released. These two violations have really shaken my trust in Children’s Mercy Hospital."

Specifically, the lawsuit accuses the hospital of breaching its fiduciary duty to protect patient privacy under Missouri law.

"Patients trust health care providers with our medical information and when that is released without our authorization, they're breaking our trust and breaching what we've asked them to do," said Maureen Brady, a partner at McShane and Brady. "When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept. "

A Children's Mercy spokeswoman said the hospital does not comment on pending litigation.

Children’s Mercy previously said that emails sent to employees gave the appearance they were from a trusted source and often contained links to a phony login page on a fake website. That gave hackers access to the employee accounts if they entered their user names and passwords.

The compromised data may have included patient names and information, medical record numbers, dates of hospital stays and procedures, diagnoses and conditions and other clinical information, according to a letter sent from Children's Mercy to those affected.

Children's Mercy said its IT team discovered unauthorized access to multiple employee email accounts in December 2017 and January 2018. The letter said the hospital is investigating the incidents, notifying patients, and that it was not aware of specific misuse of the patient information.

As a precaution, Children's Mercy automatically enrolled the affected patients in the AllClear ID program for a year at no cost, the letter said. A spokesperson said Children's Mercy has established a call center (1-855-354-4116) and an informational webpage to provide answers to families that may have been affected.

While the hospital posted a notification about the incident on its website in January, families in the area still were getting notices last week that their information may have been compromised.

Brittany McWilliams of Tonganoxie, Kan., told The Star that her family received a letter last week. She said she contacted the monitoring company, but didn’t get more answers, such as specifics on how the breach occurred or how this information could affect her child.

“Now I have this letter and no more real answers, other than ‘Hey, here, you can be monitored,’ ” McWilliams said, calling it a “Band-Aid for the problem.”

She said it was frustrating that her family was just now being notified of the potential breach when it occurred in January.

“It’s frustrating because they’ve had months to use my kiddo’s information if they got a hold of it,” she said. “I can’t fix it. I can’t change it. We just have to deal with it.”

A spokesperson with the hospital said last week that they have notified those affected in batches as they have progressed through the large amount of data that had to be evaluated.

Because the lawsuit does not specify an amount to be awarded to the more than 63,000 individuals affected, it is unclear how much money individuals could potentially get from the suit. If the case proceeds and there is an award or settlement, all of those affected would be notified automatically and don't have to contact the law firm to join the case first.

This isn't the only data breach of Children's Mercy in recent years, and it isn’t the first lawsuit over Children’s Mercy privacy breaches.

The firm also filed another class action suit against the hospital earlier this year for a 2017 incident where the personal information from more than 5,500 people was put on a personal website by a physician. The breach included names, dates of birth, diagnoses and conditions.

In order to prevent a similar breach from happening in the future, “CMH reviewed and updated policies, created a new online course, retrained employees, (the) physician received monetary sanctions, and conducted additional counseling,” according to a federal health care breach website.

The hospital was also recently sued for a 2016 incident where paper records for more than 200 patients were stolen from the trunk of a hospital employee’s vehicle.

And it settled a suit with a single plaintiff when, in 2015, a physician from Children’s Mercy took the child’s medical records home and they were stolen from her car while it was parked at Loose Park.

Related stories from Kansas City Star