25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data-Capturing Virus Discovered by Mercy Hospital in Iowa City

Posted By on Mar 29, 2016

A computer virus may have allowed hackers to obtain the data of approximately 15,000 patients of Mercy Iowa City, according to a statement released by the hospital late last week.

Patients started to be notified of the security breach by mail on Friday March 25, 2016., and have been informed that their name, address, date of birth, medical diagnoses, treatment information, and health insurance details – including their policy number and provider name – may have been compromised. Some Social Security numbers could also have been improperly accessed as a result of the infection. Only a small percentage of Mercy patients have been affected by the breach, all of whom had previously visited either Iowa City’s Mercy Hospital or Mercy Clinic for treatment.

Mercy enlisted the services of a leading computer forensics firm to conduct a full analysis of its computer systems after a tip off was received from law enforcement on January 29, 2015., about a potential computer virus infection. The forensic analysis revealed a number of the hospital’s computers had been infected with a virus on January 26, 2016.

In recent weeks, five hospitals in the United States have reported cyberattacks involving ransomware, although in this instance the purpose of the virus was not to encrypt data but to steal it. Mercy has not received any reports that data have been used inappropriately, and no evidence has been uncovered to suggest protected health information was actually exfiltrated or viewed by the attackers, but data theft could not be ruled out.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Patients therefore could be at risk of suffering identity theft or fraud and should take steps to secure their accounts. Since insurance information has potentially been compromised, patients should check Explanation of Benefits (EOB) statements carefully for any sign of fraudulent activity and should consider placing fraud alerts on their credit files.

The discovery of the virus has prompted Mercy to reassess security protections and technical safeguards have now been improved at the hospital to better protect patient health data. A police investigation into the Mercy Iowa City data breach is ongoing.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist