Kansas City, Mo.-based Children's Mercy Hospital was served with a class-action lawsuit July 10 after staff members were tricked by an email phishing scam that potentially compromised 63,049 patients' and family members' protected health information, according to The Kansas City Star.
The suit was filed by the law firm McShane and Brady in Jackson County Circuit Court on behalf of all affected individuals and accuses Children's Mercy of failing to protect patient privacy under state law.
"I thought I was making the best decision for my child by taking him to Children's Mercy for care," one of the suit's plaintiffs told The Kansas City Star in a statement through an attorney. "This is the second letter I have received stating his private medical information has been released. These two violations have really shaken my trust in Children's Mercy Hospital."
A Children's Mercy spokesperson declined The Kansas City Star's request for comment, citing hospital policy is to not publicly address pending litigation.
The incident came to light in December 2017 and January 2018 after the hospital's IT team discovered the unauthorized access to multiple employee email accounts. Employees were sent an email that appeared to be from a trusted source. However, it contained a link to a fake login page, and if staff entered their login information, hackers obtained access to the hospital's system as well as that specific employee's account.
The hospital posted a notification about the incident in January, but families were still being mailed letters about the breach through early July. Potentially compromised data may have included patient names and information, medical record numbers, dates of hospital stays and procedures, diagnoses and conditions, and other clinical information, the letters read.
"Patients trust healthcare providers with our medical information and when that is released without our authorization, they're breaking our trust and breaching what we've asked them to do," Maureen Brady, a partner at McShane and Brady, told The Kansas City Star. "When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept."
The hospital has faced three lawsuits for similar incidents since 2015.