Data Breach at Iowa Hospital
A data breach at an Iowa hospital has exposed the Social Security numbers and private medical information of more than 60,000 patients.
Mercy Iowa City began notifying patients on November 13 of a data breach that occurred in spring 2020 after an employee's email account was accessed by a threat actor.
The hospital detected the breach on June 24 when the targeted account began sending out phishing emails and spam. An investigation revealed that the hacked account had been compromised between May 15 and June 24.
Security experts brought in to scrutinize the incident confirmed in October that sensitive patient data could have been accessed by the attacker.
Data exposed may have included names, Social Security numbers, driver's license numbers, and health insurance information.
Chicago-based Polsinelli law firm, representing the hospital, said that 60,473 Iowa residents may have been impacted by the security incident.
In a letter sent out to affected Iowa residents on the hospital's behalf, Bruce Radke of Polsinelli stated: "Mercy is not aware of any fraud or identity theft to any individual as a result of this incident. Nevertheless, because there was an email account compromise, Mercy searched the impacted account to determine if it contained any personal information that may have been viewed by the third party.
"Mercy determined that the compromised account contained certain personal information, including, depending on the person, their name, Social Security number, driver's license numbers, date of birth, medical treatment information, and health insurance information."