Breach at Mercy Health Exposed PHI of 978 Patients

Mercy Health learned that some patients’ data were loaded to a private server being utilized for web appointments management, digital doctor’s office check-ins and various online functions. As a result, unauthorized persons could possibly have viewed the patient data.

Mercy Health has remedied the problem and secured all data of patients on March 25, 2019. The investigators did not find any proof of stolen data or unauthorized data access. Nonetheless, these incidents can’t be ruled out with a high level of confidence.

Beginning on an unsure date in 2014 until March 25, 2019, the patient information was publicly accessible on the server. The security issue just affected the men and women who obtained medical services from Mercy Health in Muskegon or Grand Rapids, Michigan.

The unauthorized persons possibly accessed the following types of information for most of the patients: names, addresses, email addresses, and medical insurance data. A small number of patients possibly had their Social Security number and diagnosis information exposed.

Mercy Health submitted the incident report to the proper authorities and mailed breach notification letters to the affected people. The breach summary has been posted on the HHS’ Office for Civil Rights portal indicating that 978 patients’ protected health information (PHI) were exposed.