Healthcare Information Security

Latest Health Data Breaches News

Computer Virus Possibly Exposes PHI in Healthcare Data Breach

Some recent healthcare data breaches involved a computer virus, a phishing scam, unsecured PHI in email exchanges, and stolen patient information.

By Jacqueline LaPointe

- Mercy Iowa City, an acute care hospital and regional referral center, recently announced that it experienced a possible healthcare data breach after discovering a computer virus.

Computer virus leads to potential healthcare data breach

While Mercy Iowa City did not state how many individuals were affected, the OCR data breach portal reported that 15,625 individuals were potentially affected by the event.

On January 29, Mercy Iowa City became aware that a computer virus had potentially infected some of its systems three days prior. The hospital secured the computer systems to prevent the spread of the virus.

Mercy Iowa City partnered with a forensics firm to perform an internal investigation. The query found that the computer virus was capable of capturing personal data.

An outside source may have gained unauthorized access to view some patient records, including PHI. The hospital noted that the security breach did not affect all Mercy Hospital and Mercy Clinic patients.

READ MORE: Michigan Medicine Reports 2nd Healthcare Data Breach This Year

The potentially exposed information included names, dates of birth, addresses, treatments, diagnoses, medication lists, names of health insurers, and health insurance policy numbers. Social Security numbers may also have been accessed for some patients.

“To help prevent something like this from happening in the future, we have enhanced our existing technical safeguards to protect patient information,” stated the press release.

Mercy Iowa City mailed letters on March 25 to patients who may have been affected by the incident. The hospital also created a call center dedicated to answering questions about the data security event.

There is no evidence that any patient information has been inappropriately used, Mercy Iowa City reported.

Phishing scam leads to potential data breach in NY

READ MORE: 1.13M Records Exposed by 110 Healthcare Data Breaches in Q1 2018

The Metropolitan Jewish Health System, Inc. (MJHS) reported a possible healthcare data breach after a phishing email incident occurred in January.

The OCR data breach portal stated that 2,483 individuals were affected by the potential security breach.

On January 22, MJHS discovered that a phishing email was sent to an employee at a MJHS participating agency. The employee mistook the message as legitimate and responded to the scam email.

MJHS reviewed the employee’s email account and found that some emails in the account contained patient information.

The emails could have potentially exposed patient names, member numbers, diagnoses, treatment dates, and the facilities where a patient was treated.

READ MORE: UnityPoint Allegedly Mishandled Healthcare Data Breach

After learning about the incident, MJHS secured the employee’s email accounts and reviewed other employee emails for similar phishing scams.

To prevent future data security events, MJHS reeducated all staff members about phishing emails and reviewed improvements to user login authentications.

The healthcare network mailed notification letters to all affected patients on March 22 and established a call center to answer questions about the possible healthcare data breach.

MJHS reported that there has been no evidence that patient information was misused.

Email misconduct leads to possible data breach in TX

Some Texas patients were notified of a potential healthcare data breach after Val Verde Regional Medical Center discovered a security breach involving unsecured PHI in an email.

“On or about August 9, 2015, an independent healthcare provider downloaded unsecured protected health information and emailed it to a personal account without encryption protection,” explained the press release. “In addition, the independent contractor was not authorized to access some of the protect[ed] health information.”

Val Verde Regional Medical Center became aware of the possible health data breach on December 8, 2015.

Patient information that may have been in the email included names, addresses, phone numbers, medical record numbers, and visit numbers.

Two thousand individuals were affected by the incident, according to the OCR data breach portal.

In response, Val Verde Regional Medical Center launched an investigation and notified patients who were possibly affected by the event.

Additionally, the medical center conducted an audit and implemented improved security measures to the hospital’s HIPAA security program.

Val Verde Medical Center explained that there have been no reports of improper use of PHI, patient medical histories, or Social Security numbers by unauthorized individuals. The medical center still encouraged all potentially affected patients to monitor credit reports for suspicious activity.

MA medical center reports healthcare data breach

A former Northgate Medical PC employee reportedly stole patient information for marketing purposes, a March 22 statement said.

According to a report, the former employee acquired patient information before leaving the medical center. The former employee did not intend to use the information for identity theft or fraud.

Patients may have had their names, addresses, phone numbers, and dates of births exposed.

Northgate Medical PC notified the police about the theft and they notified all patients who may have been affected by the health data breach.

The medical center encouraged all patients to monitor their credit reports and notify the credit bureaus about potential fraud.

The report does not state how many individuals were potentially affected by the incident. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks