Children’s Hospital of Philadelphia’s Double Account Breach Due to Phishing Attacks

The email accounts of two employees of the Children’s Hospital of Philadelphia (CHOP) were compromised after the successful phishing attacks launched on August 23 and August 29, 2018.

CHOP identified the accessing of email account of a doctor by an unauthorized person on August 24. According to investigations, the account was accessed even the day before. On September 6, two weeks after the first incident, CHOP identified another email account that was compromised. Investigators said that it was first accessed on August 29. In the two breach cases, CHOP took quick action to protect the email accounts from further access. A top computer forensics company helped with the investigations, particularly in determining the extent of the breach.

The email accounts were analyzed and showed that the person(s) responsible for the phishing attacks could have accessed the protected health information (PHI) of some patients associated with CHOP’s neonatal and fetal programs. The exposed data varies from patient to patient and the following data may have been included: full names, date of birth, and clinical data relevant to neonatal/fetal services obtained at the Children’s Hospital of Philadelphia or at the Hospital of the University of Philadelphia (in a few cases). Social Security numbers or financial data were not included in the exposed information.

It is very likely that the emails in the account were viewed and ePHI were stolen. However, CHOP has not found any information that indicate the misuse of patient information. Breach notification letters were mailed to the mothers and/or parents/legal guardians of present and past patients on October 23, 2018. CHOP advised the individuals whole information may have been compromised to keep track of the statements issued by their healthcare providers for any fraudulent transactions.

It was not disclosed by CHOP how many persons were affected by the breach. The incidents have not been posted to Department of Health and Human Services’ Office for Civil Rights breach webpage.