Cyber Incident Victim: Children's Hospital of the King's Daughters

On April 20, 2021, an unauthorized individual gained access to a limited number of employee email accounts at Norfolk, Virginia-based Children’s Hospital of the King’s Daughters (CHKD) through a phishing scam. The hospital identified the inappropriate access promptly, terminated the hacker’s access, and initiated an internal investigation to assess the scope and impact. By July 2021, forensic analysis confirmed that the compromised email accounts contained protected health information belonging to multiple affected groups. These included certain CHKD patients and their financial guarantors, select patients of Sentara Norfolk General Hospital who had received laboratory testing or diagnostic services through CHKD, and specific student athletes who participated in athletic training programs operated by the hospital. The breach remained under investigation for nearly three months before CHKD commenced patient notifications on August 10, 2021.

Exposed personal information encompassed names, dates of birth, patient account identifiers, and health insurance policy numbers. A subset of individuals also had their Social Security numbers compromised during the incident. CHKD confirmed no evidence of actual misuse of the data but acknowledged the potential risk of identity theft or fraud stemming from the exposure. In response, the hospital implemented measures to notify all affected parties via formal communication and offered complimentary identity theft monitoring services exclusively to those whose Social Security numbers were accessed. The institution did not disclose the total number of impacted individuals or specify whether additional security controls were applied to email systems following the breach. Operational disruptions were not reported, with containment actions limited to terminating the attacker’s access and conducting forensic reviews to establish data exposure parameters.