Lawsuit Filed Against Children’s Mercy Hospital for Data Breach of 63,000 Patients’ PHI

A lawsuit has been filed against Children’s Mercy Hospital following a phishing attack that resulted in the theft of the protected health information (PHI) of 63,049 patients.

Between December 2017 to January 2018, five email accounts were compromised. It was discovered on December, 2, 2017 that two email accounts were accessed by an unauthorized person as a result of two employees clicking on links in phishing emails. The email links opened up a website where the employees were tricked into sharing their email login credentials. Two weeks later, two more email accounts were discovered to have been compromised due to phishing attacks. A fifth email account was compromised early January.

The attacker was able to download the mailboxes of four of the compromised email accounts. As a result, the PHI of patients was impermissibly disclosed. Children’s Mercy posted a substitute breach notice on its website to notify patients, at the same time, the patients received notification letters by mail. Because so many patients were impacted, the hospital had to send notification letters in batches. An article in the Kansas City Star suggested that some patients only received their breach notification letters recently.

Aside from the phishing attack, another breach impacting 1,463 patients’ PHI was reported by Children’s Mercy Hospital to the Department of Health and Human Services’ Office for Civil Rights in June. The breach involved the interception of unencrypted pages sent by the hospital’s physicians. A radio hobbyist intercepted the pages using an antenna and a software-defined radio (SDR) on his laptop computer. Children’s Mercy Hospital was not the only hospital affected by that breach.

Another breach was reported by Children’s Mercy Hospital to OCR on May 19, 2017. The unauthorized access/disclosure incident affected 5,511 patients. The breach was caused by a physician who uploaded PHI to a website lacking appropriate security controls.

Kansas City law firm McShane and Brady filed the class action lawsuit against Children’s Mercy Hospital over the phishing incident. In the lawsuit the firm accused Children’s Mercy of breaking Missouri law and failing to fulfill its fiduciary duty to patients. Damages for all patients affected by the breach are being sought, although no figures were mentioned in the lawsuit.

Children’s Mercy Hospital has been sued in the past over privacy breaches by McShane and Brady. The law firm likewise filed a class action lawsuit over the 5,511-record breach that happened in 2017.

Patients can’t take legal action against hospitals over HIPAA violations because there is no private cause of action in HIPAA. However, patients can sue healthcare providers for violating state laws, as is the case in this lawsuit.