Mercy Iowa City hospital has revealed a data breach that may have compromised the personal and health information of 60,473 patients.
According to a letter sent earlier this month, the security incident was discovered in June when an unauthorized party sent out phishing emails from a staff member’s account.
“On or about June 24, 2020, Mercy discovered that one employee’s email account had been used to send out spam/phishing emails,” the letter reads. “Upon conducting an investigation, Mercy determined that an unauthorized third party gained access to one Mercy employee’s email account from May 15, 2020 until June 24, 2020.”
During the investigation, the hospital established that personal information could have been viewed by the unauthorized third party, including Social Security numbers, driver’s license numbers, date of birth, medical treatment information and health insurance information of over 60,000 Iowans.
“Mercy is not aware of any fraud or identity theft to any individual as a result of this incident,” the hospital added.
Following the breach, Mercy said that it secured the compromised account, and hired a security company to investigate and audit the security of its IT systems. Additionally, “Mercy is undertaking efforts to reduce the risk of a similar incident occurring in the future, including enhancing its technical safeguards and implementing multifactor authentication.”
While there have been no reports of fraud so far, the hospital is offering a complimentary 12-month credit monitoring and identity theft protection service for residents whose Social Security and driver’s license numbers were affected by the breach.
However, all impacted patients should closely monitor their bank and health insurance statements, and be wary of any phishing emails asking for additional financial or personal information.