- A phishing attack targeting employees at Missouri-based Children’s Mercy Hospital may have compromised PHI on more than 60,000 individuals, the Kansas City Star reported July 3.
The information possibly accessed by hackers included patient names, medical record numbers, dates of hospital stays and procedures, diagnoses and conditions, and other clinical information.
"The hospital identified 63,049 individuals that were potentially affected, which includes a subset of patients. The information involved varied,” Children’s Mercy spokeswoman Lisa Augustine told the newspaper in an email.
"Because the email accounts had a large amount of data that had to be evaluated, we have notified individuals in groups as we progressed through the process. The hospital has taken and continues to take steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication," Augustine related.
In a statement posted on its website, Children’s Mercy said that on December 2, 2017, its information security team detected unauthorized account access to two employee email accounts associated with a phishing email.
Additional employee email accounts were accessed by unauthorized persons on December 15 and 16, 2017, and January 3, 2018.
After working with outside security experts, Children’s Mercy determined on January 19, 2018, that the mailbox accounts for four of the employees were downloaded.
The hospital said that it is providing free credit monitoring services to affected patients.
In addition, Children’s Mercy reported to OCR on June 27 that 1,463 individuals were affected by an unauthorized access/disclosure incident.
Children’s Mercy was one of the hospitals involved in an incident in which an IT worker was able to pick up unencrypted pager data from hospitals in Missouri and Kansas using an antenna he purchased to receive IT channels on his laptop.
Augustine confirmed with HealthITSecurity.com that the report to OCR related to the unencrypted pager incident.* "We were able to complete the transition of the channel in question to a secure transmission channel. We are continuously evaluating our various methods of transmission and communication to address potential areas with room for improvement," she said in an emailed statement.
Last year, the hospital said it discovered an unauthorized website containing information collected by one of the hospital’s physicians. It reported to OCR that 5,511 individuals were affected by the breach.
The hospital said it deemed security controls on the website to be insufficient and vulnerable to potential unauthorized access. It took down the website upon discovery.
Information that may have been exposed included patient names, medical record numbers, gender, dates of birth, encounter numbers, age, height, weight, body mass index, admission dates, discharge dates, procedure dates, diagnostic and procedure codes, and brief notes.
The Kansas City Star reported in 2017 that major breaches of medical privacy occurred more often in Missouri than in any other state its size over the previous two years.
* This story has been updated with the information provided by Lisa Augustine concerning Children’s Mercy Hospital's June 27 OCR report.
PHI on 1,300 Patients at Progressions Caught in Phishing Attack
The PHI of more than 1,300 patients of the Pennsylvania-based Progressions Behavioral Health Services may have been exposed in an email breach, the provider reported to OCR on June 25.
The healthcare provider said in a statement that it discovered on April 24 that a phishing attack had resulted in a breach of some employees email accounts.
PHI that might have been compromised included patients’ names, services received from Progressions, health insurance information, and Social Security numbers.
The clinic sent letters on June 22 notifying affected patients. It is offering free credit monitoring services to patients whose Social Security number could have been accessed.
“We deeply regret any concern or inconvenience this incident may have caused our patients. To help prevent something like this from happening in the future, we are reinforcing education with our staff on phishing emails,” Progressions said.
San Francisco Delays Notification to OCR about Nuance-related Breach
The San Francisco Department of Public Health took more than a month after issuing a public statement about a PHI data breach to inform OCR about the incident.
The incident involved the breach at Nuance, a medical transcription service, which exposed more than 45,000 patient records in December 2017.
On May 11, the department issued a statement that a former employee at Nuance got unauthorized access to the PHI of 895 patients of San Francisco General and Laguna Honda hospitals.
The information accessed included personal data such as name, date of birth, medical record number, patient number, patient condition, assessment, diagnosis, treatment, care plan, and date of service.
However, the department did not report the incident to OCR until June 25, a delay of more than a month. The department could not be reached for comment about the reason for the delay.