Children's Mercy physician exposes 5.5k patients' PHI on unauthorized website: 5 things to know

Children's Mercy Kansas City (Mo.) on May 19 notified 5,511 patients of an unauthorized disclosure of protected health information.

Here are five things to know.

1. The hospital's information security department discovered an unauthorized website containing information such as patient names, medical record numbers and dates of service. The website was not owned by Children's Mercy or on the hospital's network.

2. The hospital determined a hospital physician had collected the information and used the website "to create an educational resource," according to Children's Mercy. The physician believed all individual information on the website was inaccessible and password protected.

3. The website's security controls did not meet the hospital's standards for patient information, and Children's Mercy determined storing patient information on the website violated the institution's policies.

4. Children's Mercy said there is no evidence of any misuse of patient information, however, the information could have been accessed by unauthorized third parties. The exposed information may have included names, medical record numbers, gender, date of birth, height, weight, dates of service and brief notes.

5. The hospital took down the website upon discovery. Children's Mercy also established a call center and offered free identity theft protection to affected patients.

Click here to view the notification letter.

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars