Another massive breach due to email phishing. The target was a children’s hospital- so now the children have to suffer the consequences?!

The Story

This story was in the news recently and Children's Mercy has released information on their website as well. In December 2017 and January 2018, someone sent phishing emails to (at least) 5 employees of Children’s Mercy with links to steal their email login credentials. On different days, (at least) 5 employees fell for the bait and entered their login information into the malicious website. The attackers downloaded (At least) 4 of the those employee’s email accounts and, compromising (at least) 63,049 children’s records. The information of the children varied, but may have included first and last name, medical record number, gender, date of birth, age, height, weight, body mass index, admission date, discharge date, procedure date, diagnostic and procedure codes, clinical information, demographic information, diagnosis, conditions, other treatment information and identifying or contact information (i.e. a lot of information, and definitely enough to steal these kids’ identities).

Was this Preventable?

It’s likely that it could have been prevented through email authentication. The hospital claims it is increasing security by implementing better two-factor authentication. That’s a great start since it adds an extra layer of protection beyond the username and password. But as Nathan For You demonstrated with his video detailing the Vulnerabilities with the Emmys voting system, two-factor authentication can be broken. What if the hospital could stop the phishing emails from landing in their employees’ inboxes? That would be a sure way to stop the breach. Guess what- DMARC can do that.We can’t say exactly what happened in this case since I didn’t see the phishing email, but Children’s Mercy’s main website,, is not using any type of email authentication at all! This means its domain is wide open for anyone to impersonate. DMARC is not that difficult to implement, and it provides an additional layer of protection against this type of attack. email security score July 3 2018

Time for Change

This is a prominent children’s hospital, highly ranked on a national scale. Yet they have fallen victim to the same scheme that keeps popping up across the internet. Spoofed emails are preventable; let’s not let the children pay the price of our negligence anymore. It’s time to get every domain to Reject!

Fraudmarc Can Help

We help individuals, businesses, and nonprofit organizations implement and maintain email authentication policies through our hosted plans and numerous tools, including SPF compression. Our goal is to make email authentication simple and universal, that's why we offer a variety of plans and have released Fraudmarc CE, open source DMARC reporting.