Mercy Medical Center alerts 97K patients at risk in security breach

Mercy Medical Center in Cedar Rapids has notified 97,000 patients about a security breach that might have compromised their personal information — including name, birth date, address, Social Security number and medical record information like patient account number and dates of admission, discharge and examination.

“We recommend you remain vigilant by reviewing account statements and monitoring free credit reports and promptly report any suspicious activity or suspected identity theft to law enforcement,” according to a Dec. 8 letter to patients signed by Mercy Medical Center Privacy Officer Julie Thompson.

The security breach involved Perry Johnson & Associates, a third-party vendor Mercy used from May 2, 2011, to May 31, 2014, for transcription services to document patient care.

Nevada-based Perry Johnson on May 2 — seven months ago — discovered a possible “security incident” in which an unauthorized person gained access to some of its systems. That person demanded a ransom payment, Mercy told patients.

Perry Johnson responded by launching an investigation and retaining a cybersecurity expert, who made sure the “threat was contained and that PJA’s systems were secured.”

Through its investigation, Perry Johnson on May 22 determined the intruder had gained access to a database with customer information. The company then notified law enforcement and got to work determining the scope of patients affected.

On Aug. 16, the vendor determined the hacker had “obtained the complete backup files for a database which contained customer data for several organizations, including Mercy Medical Center,” according to the letter.

Specifically, the investigation found the hacker obtained those files on April 7 and accessed them again April 19.

Perry Johnson on Oct. 5 determined Mercy Medical Center data was affected and contacted administrators Oct. 10.

“We want you to know Mercy Medical Center takes this situation seriously,” according to the patient letter. “While our relationship with PJA ended in 2014, we have opened an inquiry to determine why the information remained in their systems.”

The overall breach was submitted Nov. 3 to the U.S. Department of Health and Human Services’ Office for Civil Rights — reporting nearly 9 million individuals affected, making it the second largest breach under investigation in the last two years.

Health care data breaches have surged over the last 14 years, according to The HIPPA Journal, reporting 2021 saw more data breaches affecting 500-plus people than any other year on record at 715.

Mercy officials said the incident didn’t involve unauthorized access to its own computer systems and didn’t impact its ability to care for patients.

It also offered free credit monitoring services to affected patients and directed them to national consumer reporting agencies offering a free security freeze and fraud alert on their credit reports.

Comments: (319) 339-3158; vanessa.miller@thegazette.com