KANSAS CITY, Mo. -- In the course of just over a year, Children's Mercy Hospital had to send out letters to the parents of nearly 70,000 patients, explaining security breaches that meant their child's personal records could have been compromised.
This year three class-action lawsuits have been filed against the hospital related to three incidents where the records were made public.
Britney Walker had taken her daughter to Children’s Mercy since she was 2 months old. So she said when she got the first letter back in the summer of 2016 that hundreds of medical records being transported were stolen out of the trunk of a car, she tried to give them the benefit of the doubt.
“It contained my child’s name, her date of birth, upcoming appointments that she had, who we were seeing at the clinics," she explained.
Then in May 2017, another 5,300 patients' families received a letter that someone at the hospital had set up an unauthorized website. According to a lawsuit, patient names, dates of births, phone numbers, medical records and diagnoses were posted to the web.
“It’s troubling. Who would want to release information of a child’s medical problems and who would think it would be OK to do something like that?” Walker said.
Then for a month between December 2017 and January 2018, hackers got into an estimated 63,000 patient's medical records through an email phishing scam targeting employees on five occasions.
“The first hack occurred and then the hacker kept going back to the well, 3,4,5 times," attorney Maureen Brady said.
Hospitals that disclose medical records without authorization can face investigations, but Brady said there’s no way for her to know if the Department of Health and Human Services or the Office of Civil Rights is looking into it.
“Someone’s got to say this needs to stop, and who all is better than someone that not once, not twice, but seven times my daughter’s information has been leaked," Walker said.
She’s not only worried about identity theft but also about issues her daughter could face in school or life now that her medical information is potentially public.
“How do you put a value on your privacy? That’s really the question for a court or a jury to decide," Brady said.
"We take the protection of patient information seriously," Children’s Mercy Communications Director Lisa Augustine said. She said she couldn't comment on pending legal proceedings.
Walker said the hospital offered her daughter a year of identity theft monitoring after each breach.