Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization:
Date Made Public:
June 27, 2018
Company: Children's Mercy Hospital
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,463

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
January 31, 2018
Company: Children's Mercy Hospital
Location: , Missouri
Type of breach:
HACK
Type of organization:
MED
Records Breached:
63,049

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 19, 2017
Company: Children's Mercy Hospital
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
5,511

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 19, 2017
Company: Children's Mercy Hospital
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
5,511

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
August 15, 2014
Company: Children's Mercy Hospital
Location: , Missouri
Type of breach:
HACK
Type of organization:
MED
Records Breached:
4,067

The covered entity (CE), Children's Mercy Hospital, reported that the protected health information (PHI) of 4,067 individuals stored in an online registration system by the subcontractor, Onsite Health Diagnostics, of its business associate (BA), StayWell Health Management, was hacked. The hacked information included names, encrypted passwords, email addresses, physical addresses, phone numbers, genders, and dates of birth. Because the subcontractor-generated passwords were encrypted/hashed, they were rendered unusable. The CE provided breach notification to HHS, affected individuals, and the media. The CE reported that the subcontractor moved all data from the affected scheduling application, moved all of its clients to a new scheduling platform, and completely decommissioned the vulnerable platform. The subcontractor also conducted a comprehensive security audit and found no other improper uses of protected health information or vulnerabilities. As a result of OCR's investigation, the CE provided documentation substantiating all actions taken.

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
CSV