Here are five things to know.
1. The hospital’s information security department discovered an unauthorized website containing information such as patient names, medical record numbers and dates of service. The website was not owned by Children’s Mercy or on the hospital’s network.
2. The hospital determined a hospital physician had collected the information and used the website “to create an educational resource,” according to Children’s Mercy. The physician believed all individual information on the website was inaccessible and password protected.
3. The website’s security controls did not meet the hospital’s standards for patient information, and Children’s Mercy determined storing patient information on the website violated the institution’s policies.
4. Children’s Mercy said there is no evidence of any misuse of patient information, however, the information could have been accessed by unauthorized third parties. The exposed information may have included names, medical record numbers, gender, date of birth, height, weight, dates of service and brief notes.
5. The hospital took down the website upon discovery. Children’s Mercy also established a call center and offered free identity theft protection to affected patients.
Click here to view the notification letter.
More articles on health IT:
FTC: Cybercriminals find stolen personal data within 9 minutes of hackers posting it
78% of CISOs worry about ability to detect data breaches: 6 survey insights
Arizona health department: 2.5k patients’ PHI lost in mail
