Mercy Medical Center – Clinton, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The breach at Mercy Medical Center – Clinton, Inc., also known as MercyOne Clinton, was a significant cybersecurity incident that occurred between March 7 and April 4, 2023. This breach resulted in unauthorized access to the network, affecting the sensitive personal and health information of approximately 20,865 patients. The types of information exposed in this breach included names, addresses, dates of birth, driver’s license/state identification numbers, Social Security numbers, financial account information, medical record numbers, encounter numbers, Medicare or Medicaid identification numbers, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information[1][2][3][4][6][13].

MercyOne Clinton took immediate action by engaging third-party forensic specialists to investigate the breach and assist with their response. They also began efforts to restore data from backups, although some data loss was likely. In response to the incident, MercyOne Clinton reviewed its policies and procedures related to data protection and implemented additional technical safeguards to prevent future attacks[6].

Affected individuals were notified of the breach and offered credit monitoring and identity protection services. MercyOne Clinton also advised individuals to remain vigilant by reviewing account statements and credit reports for signs of unauthorized activity[1][4].

The breach has led to at least two potential class-action lawsuits against Mercy Health Network (also known as MercyOne Clinics) and its parent, Trinity Health Corp. The lawsuits allege negligence, breach of implied contract, unjust enrichment, and violations of the Health Insurance Portability and Accountability Act (HIPAA), seeking unspecified damages and court injunctions to ensure the confidentiality of patient information[7][11][14].

This incident underscores the growing concerns surrounding cybersecurity in the healthcare sector and the importance of robust security measures to protect sensitive patient information[11][15].

Citations:

  1. https://www.turkestrauss.com/2023/06/07/mercyone-clinton-data-breach-investigation/
  2. https://www.hipaajournal.com/patient-data-loss-likely-mercy-medical-center-clinton/
  3. https://www.scmagazine.com/brief/separate-breaches-impact-mercyone-other-health-providers
  4. https://www.clintonherald.com/news/state_news/mercyone-patients-private-information-may-have-been-accessed-in-data-breach/article_68f4950c-f12f-11ed-b64f-1b02e33085dc.html
  5. https://www.desmoinesregister.com/story/news/health/2022/10/06/mercyone-clinics-open-after-online-systems-shut-down-cyberattack/69544758007/
  6. https://healthitsecurity.com/news/cybersecurity-incident-at-mercyone-triggers-potential-patient-data-loss
  7. https://siouxcityjournal.com/news/state-regional/business/article_de96ef44-0015-5756-bc37-04a208bc2140.html
  8. https://www.myinjuryattorney.com/mercyone-data-breach-investigation/
  9. https://www.desmoinesregister.com/story/news/health/2022/10/14/mercyone-hospital-parent-company-confirms-ransomware-attack-led-to-outages/69562995007/
  10. https://original.newsbreak.com/@openclassactions-com-1602283/3054816823046-have-you-ever-been-a-patient-at-mercyone-medical-center-in-clinton-iowa-you-may-be-owed-money-due-to-a-data-breach
  11. https://www.ifaxapp.com/hipaa/data-breach-class-action-trinity-health/
  12. https://www.jdsupra.com/legalnews/mercyone-files-notice-of-data-breach-5311539/
  13. https://www.mass.gov/doc/assigned-data-breach-number-29720-mercy-medical-center-clinton-inc/download
  14. https://iowacapitaldispatch.com/2023/06/15/hospital-data-breach-triggers-two-class-action-lawsuits/
  15. https://www.ifaxapp.com/hipaa/mercy-cyberattack-patient-data-risk/
Breach Submission Date Jun 02, 2023
Converted Entity Name Mercy Medical Center - Clinton, Inc.
Converted Entity Type Healthcare Provider
State IA
Individuals Affected 20,865
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes