Staff members at Kansas City, Mo.-based Children's Mercy Hospital fell victim to an email phishing scam, potentially compromising the personal health information of 63,049 patients and family members, according to The Kansas City Star.
The email sent to employees appeared to be from a trusted source and contained a link to a fake login page. If staff entered their login information, hackers obtained access to the hospital's system and that specific employee's account.
Potentially compromised health data includes: patient names, medical record numbers, dates of hospital stays and procedures, diagnosis and conditions and other clinical information.
While the hospital posted a notification about the breach to its website in January, affected families in the area are still being notified via letter.
"Because the email accounts had a large amount of data that had to be evaluated, we have notified individuals in groups as we progressed through the process," Children's Mercy spokesperson Lisa Augustine told The Kansas City Star. "The hospital has taken and continues to take steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication."
The hospital's IT team discovered the unauthorized access to multiple employee email accounts in December 2017 and January 2018. The hospital is continuing its investigation into the incident and will continue to notify affected individuals and families.
The hospital is offering affected patients and family members one free year of identity theft protection.