Children’s Health Care in Minneapolis, MN, doing business as Children’s Minnesota, found out that patients’ protected health information (PHI) was compromised in an email security incident that was identified on March 13, 2024. Children’s Health Care is a large pediatric healthcare provider in the U.S. It has two hospital campuses located in St. Paul, and Minneapolis, and specialty clinics. It is the only Level I Trauma Center in Minnesota and the exclusive provider of care for kids from birth to young adulthood. It is an expert in the diagnosis, treatment, and research of diseases that affect babies and kids, which include diabetes, epilepsy, cystic fibrosis, and cancers.
The children’s hospital detected suspicious activity in its email system, which was confirmed by forensic investigation with the report that hackers accessed the email accounts of two employees from February 29, 2024 to March 25, 2024. The analysis of the emails and file attachments is still in progress; it was found that patient data associated with the surgical services department was saved in those accounts.
The data possibly exposed in the attack contained names, birth dates, addresses, insurance carrier names, provider names, medical record numbers, treatment cost data, and/or limited treatment data associated with care obtained at Children’s Minnesota. The breached accounts didn’t include any Social Security numbers, financial accounts, or credit card details. Although patient information was compromised, Children’s Minnesota did not receive any report of misuse of patient data.
The breach report was submitted to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) as impacting 7,260 individuals. Those patients will receive breach notifications by mail soon. Children’s Health Care already provides employees with cybersecurity and HIPAA privacy training and will keep doing so. Extra safety measures will also be implemented to boost email security and avoid similar incidents in the future.