Tuesday, July 10, 2018

Children's Mercy Hospital Exposes Patient Data from Phishing Scam

CMH logo.jpg
 
Here in my hometown of Kansas City, is one of the best children’s hospital systems in the U.S.  The Children’s Mercy Hospital system is an incredible healthcare system that deals with all kinds of problems and diseases for children.
 
Unfortunately, CMH was recently hit with a phishing scam that resulted in the exposure of over 60,000 individuals personal data.  
 
According to the Kansas City Star "The emails sent to employees gave the appearance they were from a trusted source and often contained links to a phony login page on a fake website, the hospital said. That gave hackers access to the employee accounts if they entered their usernames and passwords.”  For the story from the KC Star, follow this link.
 
Here is the breach notification from CMH:
 

Children’s Mercy is notifying families who may have been affected by a recent “phishing” incident. "Phishing" emails appear to be from a trusted source and often contain links to a phony login page on a fake website, frequently fabricating an urgent reason to motivate the recipient of the email to enter a username and password.
On Dec. 2, 2017, the Children's Mercy Information Security team detected unauthorized account access to two employee email accounts associated with a phishing email. These two accounts were reset by Children's Mercy's Information Security team the same day in order to stop any unauthorized access. 


Two additional employee email accounts were accessed by unauthorized persons on Dec. 15 and 16 of 2017. These accounts were reset by Children's Mercy's Information Security team on Dec. 18, 2017 to stop any unauthorized access. 


Unauthorized access to an additional employee email account occurred on the night of Jan. 3, 2018. The following morning, the Children’s Mercy’s Information Security team reset the account to stop any unauthorized access. 


With the assistance of outside security experts, Children's Mercy investigated the incidents to determine what, if any, information was accessed. On Jan. 19, 2018, Children’s Mercy determined that the mailbox accounts for four of the five affected employees were downloaded by unauthorized individuals. Additional remediation is in process, and Children’s Mercy is continuing its investigation into the incident, taking steps to mitigate any impact to individuals, and to protect against any further incidents.

Although Children’s Mercy is not aware of any misuse of patient information, the hospital is notifying affected individuals. The categories of information vary for individuals, but may have included first and last name, medical record number, gender, date of birth, age, height, weight, body mass index, admission date, discharge date, procedure date, diagnostic and procedure codes, clinical information, demographic information, diagnosis, conditions, other treatment information and identifying or contact information.

Children’s Mercy has established a call center (1-855-354-4116) and an informational webpage (childrensmercy.org/February2018) to provide answers to families who may have been affected. Additionally, Children’s Mercy is offering free identity theft protection to those families.

The hospital sincerely apologizes for this situation.

Addendum: As noted above, the hospital is taking steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication.

About Children’s Mercy Kansas City 
Founded in 1897, Children’s Mercy is one of the nation’s top pediatric medical centers with more than 500,000 patient encounters each year. With not-for-profit hospitals in Missouri and Kansas, and numerous specialty clinics in both states, Children’s Mercy provides the highest level of care for children from birth through the age of 21. U.S. News & World Report has repeatedly ranked Children’s Mercy as one of “America's Best Children's Hospitals.” For the fourth time in a row, Children’s Mercy has achieved Magnet nursing designation, awarded to fewer than seven percent of all hospitals nationally, for excellence in quality care. Its faculty of more than 700 pediatric subspecialists and researchers across more than 40 subspecialties are actively involved in clinical care, pediatric research, and educating the next generation of pediatric subspecialists. Thanks to generous philanthropic and volunteer support, Children’s Mercy provides medical care to every child who passes through its doors, regardless of a family’s ability to pay. 

Post a Comment