- A class action lawsuit was filed this week against Kansas City, Missouri-based Children’s Mercy Hospital in response to a healthcare data breach that affected more than 60,000 individuals earlier this year, the Kansas City Star reported July 10.
The lawsuit, filed by the law firm of McShane and Brady in Jackson County Circuit Court, accuses Children’s Mercy Hospital of breaching its fiduciary duty to protect patient privacy under Missouri law.
The breach resulted from a phishing attack against hospital employees’ email accounts at the end of last year and early this year.
The information possibly accessed by hackers included patient names, medical record numbers, dates of hospital stays and procedures, diagnoses and conditions, and other clinical information.
Children’s Mercy reported to OCR in January that 63,049 individuals were affected by the breach.
This is the fourth class action lawsuit McShane and Brady has filed against Children’s Mercy over a patient data breach.
“Patients trust health care providers with our medical information and when that is released without our authorization, they're breaking our trust and breaching what we've asked them to do,” Maureen Brady, a partner at McShane and Brady, told the newspaper.
“When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept,” Brady added.
Children’s Mercy declined to comment on pending litigation.
“I thought I was making the best decision for my child by taking him to Children’s Mercy for care," said one of the plaintiffs in a statement through an attorney. "This is the second letter I have received stating his private medical information has been released. These two violations have really shaken my trust in Children’s Mercy Hospital.”
The hospital said that it is providing free credit monitoring services to affected patients.
Brittany McWilliams of Tonganoxie, Kansas, told the newspaper that she received a letter last week. She contacted the monitoring company, but didn’t get the answers she wanted, such as how the breach occurred or how this information could affect her child.
“Now I have this letter and no more real answers, other than ‘Hey, here, you can be monitored,’” McWilliams said, calling it a “Band-Aid for the problem.”
She said it was frustrating that her family was just now being notified of the potential breach when it occurred in January.
In a statement on its website, Children’s Mercy said that on December 2, 2017, its information security team detected unauthorized account access to two employee email accounts associated with a phishing email.
Additional employee email accounts were accessed by unauthorized persons on December 15 and 16, 2017, and January 3, 2018.
After working with outside security experts, Children’s Mercy determined on January 19, 2018, that the mailbox accounts for four of the employees were downloaded.
Last month, Children’s Mercy reported to OCR that 1,463 individuals were affected by an unauthorized access/disclosure incident.
The hospital confirmed with HealthITSecurity.com that the OCR report related to an incident in which an IT worker was able to pick up unencrypted pager data from hospitals in Missouri and Kansas using an antenna he purchased to receive TV channels on his laptop.
"We were able to complete the transition of the channel in question to a secure transmission channel. We are continuously evaluating our various methods of transmission and communication to address potential areas with room for improvement," Children’s Mercy spokeswoman Lisa Augustine said in an emailed statement.
Last year, Children’s Mercy discovered an unauthorized website containing information collected by one of the hospital’s physicians. It reported to OCR that 5,511 individuals were affected by the breach.
The hospital said security controls on the website were vulnerable to potential unauthorized access. It took down the website upon discovery.
Information that may have been exposed included patient names, medical record numbers, gender, dates of birth, encounter numbers, age, height, weight, body mass index, admission dates, discharge dates, procedure dates, diagnostic and procedure codes, and brief notes.