It has been confirmed that Kansas City Children’s Mercy Hospital has now began the process of notifying more than 5,500 patients that portions of their electronic protected health information have been exposed online.
It was discovered that personally identifiable information and some protected health information had been uploaded to a website that had been set up by one of the hospital’s doctors. The website was intended to be an educational resource for medical students.
The physician had used a password in order to protect the site before proceeding to upload information concerning patients’ health. The said physician, acting in good faith, believed that the site was secure and that patient health information was protected from unauthorised access..
Nonetheless, the website, which was neither owned nor maintained by the Kansas City Children’s Mercy Hospital, violated a number of hospital policies and did not adhere to its information security standards. Consequently, the hospital acknowledged that patients’ protected health information may possibly have been accessed by unauthorized 3rd parties.
Extremely sensitive information on patients including insurance details, financial data, contact details and Social Security numbers were not entered on the website, however the personal information of patients was revealed. The doctor concerned uploaded information such as first and family names, birth-dates, ages, genders, service-dates, admission dates, discharge dates, diagnostic and procedural codes, medical record numbers and doctors’ medical notes about the patients. Furthermore, details of the patients’ heights, weights and body mass indexes were included on the site.
Breach notification letters have now been posted to patients, which is a requirement of the HIPAA Breach Notification Rule. Precautionary free identity theft protection services with AllClear have been made available to patients for a period of one year.
Procedures are now being put in place by Children’s Mercy Hospital is taking steps to guarantee that there is no repeat of this incident. This includes the retraining of staff members on hospital/HIPAA policies. Although it is acknowledged that the health information of patients was revealed as a consequence of the doctor’s actions and data could have been accessed by 3rd parties, Children’s Mercy Hospital has to date received no reports to suggest that any information has been misused. Nevertheless, patients have been advised to exercise caution and to remain alert for any potential fraudulent use of their personal data.