Data-Capturing Virus Discovered by Mercy Hospital in Iowa City

A computer virus may have allowed hackers to obtain the data of approximately 15,000 patients of Mercy Iowa City, according to a statement released by the hospital late last week.

Patients started to be notified of the security breach by mail on Friday March 25, 2016., and have been informed that their name, address, date of birth, medical diagnoses, treatment information, and health insurance details – including their policy number and provider name – may have been compromised. Some Social Security numbers could also have been improperly accessed as a result of the infection. Only a small percentage of Mercy patients have been affected by the breach, all of whom had previously visited either Iowa City’s Mercy Hospital or Mercy Clinic for treatment.

Mercy enlisted the services of a leading computer forensics firm to conduct a full analysis of its computer systems after a tip off was received from law enforcement on January 29, 2015., about a potential computer virus infection. The forensic analysis revealed a number of the hospital’s computers had been infected with a virus on January 26, 2016.

In recent weeks, five hospitals in the United States have reported cyberattacks involving ransomware, although in this instance the purpose of the virus was not to encrypt data but to steal it. Mercy has not received any reports that data have been used inappropriately, and no evidence has been uncovered to suggest protected health information was actually exfiltrated or viewed by the attackers, but data theft could not be ruled out.

Patients therefore could be at risk of suffering identity theft or fraud and should take steps to secure their accounts. Since insurance information has potentially been compromised, patients should check Explanation of Benefits (EOB) statements carefully for any sign of fraudulent activity and should consider placing fraud alerts on their credit files.

The discovery of the virus has prompted Mercy to reassess security protections and technical safeguards have now been improved at the hospital to better protect patient health data. A police investigation into the Mercy Iowa City data breach is ongoing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.