Mercy Health is notifying almost 1,000 patients that their data may have been accessed by an unauthorized individual.
In March, Mercy Health, a non-profit healthcare system in west Michigan, discovered that some protected health information (PHI) may have been exposed after realising patient data was stored on a private server that was used for other purposes, such as online scheduling and check-ins. As the information was saved on this private server, it was possible for individuals to access the data without having their identity authenticated.
An investigation was launched into the incident. Mercy Health discovered that patient data may have been accessible on the private server for a number of years, stretching from March 25, 2019, back to some time in 2014. The data only pertained to individuals who who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan.
Investigators did not find evidence to suggest that an unauthorised individual accessed or stole the data, but could not rule out either act definitively.
The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security number and diagnosis information exposed.
Mercy Health has since stated that they have implemented measures to solve the issue and have secured all patient information.
Following HIPAA’s Breach Notification rules, Mercy Health has reported the breach to the appropriate authorities. They have also sent all affected individuals breach notification letters.
According to the breach summary on the HHS’ Office for Civil Rights website, the protected health information of 978 patients was exposed.