Mercy Health found out that some of its patient data were uploaded to a private server used for online appointment scheduling, electronic doctor’s office check-ins and other online activities. Because of this, unauthorized people could have accessed the patient information.
Mercy Health already corrected the issue and secured all patient data on March 25, 2019. There was no proof of data theft or unauthorized access uncovered by the investigators. However, it can’t be ruled out with a high level of certainty.
Starting on an uncertain date in 2014 up to March 25, 2019, the patient data was publicly available on the server. The security problem only impacted a number of people who acquired Mercy Health medical services in Muskegon or Grand Rapids, Michigan facilities.
The types of data possibly accessed only included names, email addresses, addresses, and health insurance details for the big majority of impacted persons. The Social Security number and diagnosis data of a small number of patients might also have been exposed.
Mercy Health reported the incident to the proper authorities and sent breach notification letters to the impacted persons. The HHS’ Office for Civil Rights website posted the breach summary indicating that the protected health information (PHI) of 978 patients were exposed.