Cybersecurity Incident at MercyOne Triggers Potential Patient Data Loss

June 09, 2023 - A cybersecurity incident at Iowa's MercyOne Clinton Medical Center leaves around 21,000 patients at risk of protected health information (PHI) exposure and possible data loss.

An unauthorized third party gained access to MercyOne Clinton Medical Center's network between March 7 and April 4, 2023.

Though patient care was unaffected, the security breach blocked access to its systems until remediation occurred. The cybersecurity incident exposed various types of PHI, ranging from names and addresses to mental or physical treatment details and insurance data.

MercyOne engaged third-party forensic specialists to restore secure access to their network and revisited data protection policies. Even as efforts are ongoing to restore data from backups, some data loss is likely.

“In response to the incident, MercyOne Clinics worked with third-party computer forensic specialists to securely restore access to information on our Clinics’ network, and we are reviewing our policies and procedures related to data protection. We are also taking additional technical steps to recreate data we were unable to fully restore,” MercyOne stated.

To strengthen its security posture, additional technical safeguards have been implemented to prevent future attacks.

Sparta Community Hospital District Faces Employee Email Breach

Sparta Community Hospital District began notifying nearly 900 individuals of an employee email breach that led to potential PHI exposure.

Suspicious activity in an email account led to the discovery on March 28, 2023, prompting immediate action to secure the account and reinforce the email environment with additional security controls.

“After learning of the incident, Sparta Hospital launched an internal investigation to determine the nature and scope of this incident,” the organization wrote.

“The investigation confirmed that an unauthorized individual gained access to one Sparta Hospital employee’s email account from March 27 to March 28, 2023. Out of an abundance of caution, Sparta Hospital conducted a comprehensive review of the employee’s mailbox to determine what personal information may have been present in the email account.”

By April 12, a review confirmed that patient information was present in the compromised account. Data including names, addresses, phone numbers, dates of birth, medical record numbers, doctor's names, medical diagnoses, and limited treatment information were exposed. However, neither financial information nor Social Security numbers were breached.

Following the attack, Sparta Hospital implemented enhanced security measures to safeguard the information under its management.

The hospital has begun to mail out notification letters to the individuals potentially impacted by the breach, providing resources to help protect patients’ personal information.

Federal law enforcement has also been notified of the incident, and a report will be submitted to the U.S. Department of Health and Human Services. 

Mississippi Children’s Home Society Announces Healthcare Data Breach

Mississippi Children’s Home Society, CARES Center Inc, and Mississippi Children’s Home Services Inc. recently revealed they are investigating and addressing a healthcare data breach, the extent of which remains undisclosed, including the number of patients affected.

On April 4, 2023, Canopy Children's Solutions discovered encrypted files on its systems, indicating a cyberattack.

Canopy promptly secured its systems and initiated a thorough investigation with the assistance of third-party forensic experts.

The investigation revealed that unauthorized access was gained to specific systems, and files and folders might have been accessed or retrieved. Once the investigation is complete, Canopy plans to quickly send letters to potentially impacted individuals, providing details about the types of potentially affected information.

“Canopy encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor their credit reports for suspicious activity. Individuals may contact the three major credit reporting agencies for advice on how to obtain free credit reports and how to place fraud alerts and security freezes on credit files,” the press release stated.