Children’s Mercy Hospital in Kansas City has started notifying more than 5,500 patients that some of their electronic protected health information has been exposed online.
Personally identifiable information and protected health information were discovered to have been uploaded to a website set up by one of the hospital’s physicians. The website was intended to serve as an educational resource.
The physician had protected the site with a password before uploading patient health information. The physician believed that the site had been appropriately secured and patient health information could not be accessed by unauthorized individuals.
However, the website, which was not owned nor maintained by Children’s Mercy Hospital, violated hospital policies and did not meet the hospital’s information security standards. As a result, the hospital said patients’ protected health information could have been viewed by unauthorized third parties.
Highly sensitive patient data such as insurance details, financial information, contact details and Social Security numbers were not uploaded to the website, although personal information of patients was exposed. The physician had uploaded information such as first and last names, dates of birth, ages, genders, dates of service, admission dates, discharge dates, diagnostic and procedure codes, medical record numbers and brief notes on the patients. Heights, weights and body mass indexes were also uploaded to the site.
Patients have been sent breach notification letters in the mail, as is required by the HIPAA Breach Notification Rule. All patients have been offered identity theft protection services with AllClear for 12 months at no charge as a precaution.
Children’s Mercy Hospital is taking steps to ensure that incidents such as this do not occur again, including retraining staff members on hospital/HIPAA policies. While patient health information was exposed as a result of the physician’s actions and data may have been accessed, Children’s Mercy Hospital has not received any reports to suggest any information has been misused. However, patients have been advised to exercise caution and be vigilant for fraudulent use of their data.