Patients’ PHI Exposed in Breach Incidents at Mercy Medical Center North Iowa and Arthritis & Osteoporosis Consultants of the Carolinas


Mercy Medical Center North Iowa found out that an old employee possibly accessed patients’ healthcare records without appropriate authorization for over 12 months.

The medical center conducted an internal investigation of the incident which revealed that a past employee had wrongly accessed patient data from July 2017 to July 2018. The employee had access to patient data for carrying out work responsibilities, however, Mercy Medical Center North Iowa did not confirm if the employee had access to all records for fulfilling work-related purposes.

The types of data potentially accessed by the former employee only included names, birth dates, addresses, prescribed medicines, and insurance details. Mercy Medical Center sent breach notification letters via mail to the impacted patients on November 26, 2018 and offered to all those whose personal data were exposed a one-year free identity theft protection services.

Because of the unauthorized data access, Mercy Medical Center in North Iowa reviewed its privacy procedures and provided additional training to employees to support previous training on patient privacy and HIPAA Rules.

Mercy Medical Center North Iowa in a press release stated that Mercy-North Iowa is serious about doing their responsibility in safeguarding the PHI of patients and apologizes for whatever worry or inconvenience caused by the incident.

Mercy Medical Center already reported the privacy violation to the police authorities and the HHS’ Office for Civil Rights. As reported in the Globe Gazette, about 1,900 present and past patients were notified regarding the breach.

Another data breach involved 3,930 patients of Arthritis & Osteoporosis Consultants of the Carolinas (AOCC) based in Charlotte, NC. The patients were notified regarding the exposure of some of their protected health (PHI).

It was discovered on September 10, 2018 that a report containing patients’ private and healthcare information was missing. AOCC is convinced that the report was thrown away in the garbage by mistake since it was not yet shredded.

AOCC believes that no one has viewed the report except the authorized AOCC employee. There was also no report received that indicate the misuse of patient information. The following data were included in the report: names, dates of birth, payer-issued ID numbers, insurance details, treating doctors’ names, and the name of an infusion drug that was given to selected patients.