Home > Breach Notification
Breach Notification
Kansas City, Mo. – Jan. 31, 2018 – Children’s Mercy is notifying families who may have been affected by a recent “phishing” incident. "Phishing" emails appear to be from a trusted source and often contain links to a phony login page on a fake website, frequently fabricating an urgent reason to motivate the recipient of the email to enter a username and password.
  • On Dec. 2, 2017, the Children's Mercy Information Security team detected unauthorized account access to two employee email accounts associated with a phishing email. These two accounts were reset by Children's Mercy's Information Security team the same day in order to stop any unauthorized access. 
  • Two additional employee email accounts were accessed by unauthorized persons on Dec. 15 and 16 of 2017. These accounts were reset by Children's Mercy's Information Security team on Dec. 18, 2017 to stop any unauthorized access. 
  • Unauthorized access to an additional employee email account occurred on the night of Jan. 3, 2018. The following morning, the Children’s Mercy’s Information Security team reset the account to stop any unauthorized access. 
With the assistance of outside security experts, Children's Mercy investigated the incidents to determine what, if any, information was accessed. On Jan. 19, 2018, Children’s Mercy determined that the mailbox accounts for four of the five affected employees were downloaded by unauthorized individuals. Additional remediation is in process, and Children’s Mercy is continuing its investigation into the incident, taking steps to mitigate any impact to individuals, and to protect against any further incidents.

Although Children’s Mercy is not aware of any misuse of patient information, the hospital is notifying affected individuals. The categories of information vary for individuals, but may have included first and last name, medical record number, gender, date of birth, age, height, weight, body mass index, admission date, discharge date, procedure date, diagnostic and procedure codes, clinical information, demographic information, diagnosis, conditions, other treatment information and identifying or contact information.

Children’s Mercy has established a call center (1-855-354-4116) and an informational webpage (childrensmercy.org/February2018) to provide answers to families who may have been affected. Additionally, Children’s Mercy is offering free identity theft protection to those families.

The hospital sincerely apologizes for this situation.

Addendum: As noted above, the hospital is taking steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication.

About Children’s Mercy Kansas City
Founded in 1897, Children’s Mercy is one of the nation’s top pediatric medical centers with more than 500,000 patient encounters each year. With not-for-profit hospitals in Missouri and Kansas, and numerous specialty clinics in both states, Children’s Mercy provides the highest level of care for children from birth through the age of 21. U.S. News & World Report has repeatedly ranked Children’s Mercy as one of “America's Best Children's Hospitals.” For the fourth time in a row, Children’s Mercy has achieved Magnet nursing designation, awarded to fewer than seven percent of all hospitals nationally, for excellence in quality care. Its faculty of more than 700 pediatric subspecialists and researchers across more than 40 subspecialties are actively involved in clinical care, pediatric research, and educating the next generation of pediatric subspecialists. Thanks to generous philanthropic and volunteer support, Children’s Mercy provides medical care to every child who passes through its doors, regardless of a family’s ability to pay. 

Copyright © 2018 The Children’s Mercy Hospital