Cyber Incident Victim: Seattle Children's Hospital

In late May 2022, Seattle Children’s Hospital became involved in a cybersecurity incident stemming from a ransomware attack targeting KayeSmith, a third-party mail service vendor utilized by the hospital for marketing and communications. The attack compromised KayeSmith’s systems, rendering stored data temporarily inaccessible and enabling unauthorized actors to potentially access files containing patient information. Seattle Children’s Hospital was notified of the breach by KayeSmith in September 2022, approximately four months after the initial attack occurred. Forensic investigations determined that exposed data included patient names, addresses, provider names, medical record numbers, visit details, laboratory information, guarantor numbers, and insurance carrier names. The incident affected 6,750 patients, as reported to the HHS Office for Civil Rights. Neither KayeSmith nor Seattle Children’s Hospital identified evidence confirming actual misuse of the compromised data at the time of disclosure.

Following notification, Seattle Children’s Hospital coordinated with KayeSmith to implement additional security safeguards aimed at preventing future breaches. KayeSmith provided affected individuals with complimentary credit monitoring services as a protective measure. The hospital publicly confirmed its collaboration with the vendor to reinforce data handling protocols, though specific technical or procedural changes were not detailed in available reports. Operational impacts appeared limited to the compromised third-party communications systems, with no indication of direct infiltration into Seattle Children’s Hospital’s internal networks. The delayed disclosure timeline—from the May 2022 attack to September 2022 patient notifications—reflected the duration required for KayeSmith’s forensic investigation and risk assessment. No ransomware payment details or attacker identities were disclosed in relation to the incident.