Mercy Iowa City and Mercy Clinic notify patients after alerted to malware by law enforcement (updated)
Update of March 28: This breach reportedly affected 15,000 patients.
Public notice from Mercy Iowa City, dated March 25:
Notice to our Patients Regarding a Privacy Incident
Mercy Iowa City (“Mercy”) is committed to protecting the security and confidentiality of our patients’ information. Regrettably, this notice concerns an incident involving some of that information.
On January 29, 2016, law enforcement advised us that a computer virus had potentially infected some of our systems on January 26, 2016. We immediately took steps to secure the computer systems and began an internal investigation, including working with a leading forensics firm to assist with the investigation. Our investigation determined that some of our computers were infected by a virus designed to capture personal data.
We have no evidence that patient information has been used improperly. However, we are not able to rule out that some limited portions of patient information may have been improperly accessed through an outside source. This information may have included patient demographic information (such as name, date of birth, address), clinical information (such as treatment, diagnosis, medications), or health insurance information (such as name of insurer, policy number). In some instances, Social Security numbers may have been affected. We continue to work with law enforcement in its investigation.
This incident did not affect all Mercy Hospital and Mercy Clinic patients.
Although to date, we have no evidence that any patient information has been used improperly as a result of this incident, we began mailing letters to affected individuals on March 25, 2016, and established a dedicated call center to answer any questions they may have. If you believe you are potentially affected, but have not received a letter by April 11, 2015, please call 1-844-787-6810, Monday through Friday, between 8:00 a.m. and 8:00 p.m. Central Time.
Mercy deeply regrets any inconvenience this may have caused our patients. To help prevent something like this from happening in the future, we have enhanced our existing technical safeguards to protect patient information.