Cyber Incident Victim: Rady Children's Hospital

On June 20, 2019, unauthorized individuals accessed patient data through an open internet port at Rady’s Children’s Hospital in San Diego. The breach remained undetected for over six months until hospital personnel discovered the intrusion on January 3, 2020. The hospital immediately terminated the unauthorized access and initiated an investigation into the incident, which they classified as radiology-related. No details were disclosed regarding how the breach was initially detected, why the port remained exposed, or whether the access constituted a targeted attack versus opportunistic scanning. The investigation confirmed that the intruders accessed protected health information during the exposure window between June 2019 and January 2020.

The compromised data included patient names, genders, and information about imaging studies conducted—specifically the type of imaging performed and associated dates. For a subset of affected individuals, the breach additionally exposed dates of birth, medical record numbers, detailed descriptions of imaging procedures, and names of referring physicians. The hospital determined that no Social Security numbers, financial information, or clinical treatment records were accessed. Beginning in February 2020, Rady’s systematically notified all impacted patients through mailed letters, though the total number of affected individuals was not publicly disclosed. As remediation, the hospital offered complimentary identity protection services to those whose data was exposed. No evidence emerged suggesting misuse of the stolen information, and the organization implemented unspecified security enhancements following the incident to prevent similar occurrences.