Mercy Health Discovers PHI of 978 Patients Was Exposed

Mercy Health, MI, has discovered a limited amount of patient data had been saved on a private server which was used for other activities such as online scheduling and electronic physician office check-ins. As a result, patient information could potentially have been accessed by unauthorized individuals.

The issue has been corrected and all patient information has now been secured. The investigation did not uncover any evidence of unauthorized access or data theft, but it was not possible to rule out either with a very high degree of certainty.

Patient information was accessible on the server from an unspecified date in 2014 to March 25, 2019, when the problem was detected and rectified. The security issue only affected certain individuals who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan.

The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security number and diagnosis information exposed.

The incident has been reported to the appropriate authorities and affected individuals have been sent breach notification letters.  According to the breach summary on the HHS’ Office for Civil Rights website, the protected health information of 978 patients was exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.