Patients' Data Stolen After an Email Phishing Scam Targets Children's Mercy Hospital

Children's Mercy Hospital Kansas

You need to keep your wits about you when you're online. A single lapse in concentration and you could give hackers the chance to do some real damage. When you're at work, the potential consequences of a cybersecurity blunder are even more serious. In the office, it's no longer just about your data. It could be the data of many more people that are at risk. In the case of Children's Mercy Hospital in Kansas, we're talking about tens of thousands of people, most of them kids.

The cyberattack on the hospital actually took place more than seven months ago, and, there's no way to sugarcoat this, it was completely avoidable. In January, Children's Mercy put up a breach notification on its website saying that an unauthorized party had downloaded personal details of some of the hospital's patients. The exposed information included names, date of birth, height, weight, clinical information, diagnosis, condition, admission date, discharge date, etc., and the crooks got their hands on it after pulling off the simplest of online scams – phishing.

The official announcement doesn't say much, but we can gather from it that a few employees unwittingly gave away their login credentials to hackers after clicking on email links they shouldn't have clicked on. On December 2, the hospital's IT team noticed unauthorized access to two inboxes, but instead of resetting all email passwords, they just shut off access to the affected accounts. Not surprisingly, over the next few weeks, the hackers broke into a few other email inboxes, and it was not until late January that the hospital's IT people realized that data had been exfiltrated.

At the time, Children's Mercy said that experts are still assessing the damage and cannot confirm how many patients have been affected. Right now, more than five months later, we have a definitive number. A spokesperson recently told The Kansas City Star that just over 63 thousand individuals have had their data leaked. The hospital representatives are still working on contacting all the victims, and they promise that every affected person will receive one year's worth of identity theft protection free of charge.

You can now see why so many organizations spend thousands on anti-phishing training for their employees. The fact that multiple accounts got compromised clearly shows that Children's Mercy employees simply didn't understand the threat. The hospital's IT team should have probably taken more serious precaution after the hacking of the first inboxes as well. Especially when you consider the fact that this is not the first cybersecurity incident related to Children's Mercy Hospital in Kansas, Missouri.

Last year, a physician working at the hospital was trying to create an educational resource, and he published the personal details of about 5,500 patients on the Internet. He thought that the data was protected by a password, but that turned out not to be the case.

Healthcare organizations in the US are required by law to disclose every single data breach, and there's a special portal that aggregates and makes the information public. According to it, on June 27, Children's Mercy Hospital reported a breach which affects a little under 1,500 individuals. No additional details are available, and there's no information on the hospital's website, so we can't be sure whether this incident is in any way connected to the phishing attacks from December and January. It's safe to say, however, that patients, and in this particular case, their parents, are probably feeling a bit uneasy about the whole thing.

Healthcare organizations are targeted by successful cyberattacks every day which shows that they're not very well prepared when it comes to securing patients' data. We can only hope that they'll soon start paying more attention to the problem. We can also be more aware of the threat of phishing. After all, you don't want to be the next person that will follow a link and will inadvertently expose the data of tens of thousands of innocent individuals.

July 10, 2018

Leave a Reply