Cyber Incident Victim: Children's Hospital of Philadelphia

Children’s Hospital of Philadelphia (CHOP) identified two separate email security incidents affecting patient health information in August and September 2018. The first incident was detected on August 24, 2018, involving unauthorized access to a physician’s email account on August 23. A second incident was discovered on September 6, 2018, stemming from unauthorized access to another email account on August 29. CHOP initiated an investigation with assistance from a forensic firm immediately after detecting each breach. The investigation confirmed both email accounts contained protected health information, including patient names, dates of birth, and clinical details related to neonatal and fetal care provided at CHOP or the Hospital of the University of Pennsylvania (HUP). The compromised data did not include Social Security numbers, financial records, or credit information. These incidents impacted a limited number of mothers and infants who had received care through these specialized services.

CHOP mailed notification letters to affected families on October 23, 2018, advising them to review medical statements for discrepancies and contact providers if they identified unfamiliar services. The hospital established a dedicated call center operating Monday through Friday from 9 a.m. to 6 p.m. Eastern Time to address patient inquiries. CHOP emphasized no evidence of actual or attempted misuse of patient information but implemented enhanced email security measures to prevent recurrence. Public statements acknowledged the incidents affected only specific patient groups tied to neonatal/fetal care and reiterated CHOP’s commitment to privacy. The hospital directed impacted individuals to its website for additional details while expressing regret for any concerns caused.