Breach at Mercy Health Exposed PHI of 978 Patients

Mercy Health learned that some patients’ data were loaded to a private server being utilized for web appointments management, digital doctor’s office check-ins and various online functions. As a result, unauthorized persons could possibly have viewed the patient data.

Mercy Health has remedied the problem and secured all data of patients on March 25, 2019. The investigators did not find any proof of stolen data or unauthorized data access. Nonetheless, these incidents can’t be ruled out with a high level of confidence.

Beginning on an unsure date in 2014 until March 25, 2019, the patient information was publicly accessible on the server. The security issue just affected the men and women who obtained medical services from Mercy Health in Muskegon or Grand Rapids, Michigan.

The unauthorized persons possibly accessed the following types of information for most of the patients: names, addresses, email addresses, and medical insurance data. A small number of patients possibly had their Social Security number and diagnosis information exposed.

Mercy Health submitted the incident report to the proper authorities and mailed breach notification letters to the affected people. The breach summary has been posted on the HHS’ Office for Civil Rights portal indicating that 978 patients’ protected health information (PHI) were exposed.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at