Mercy Iowa City patients warned of privacy breach; details released to Iowa Attorney General’s Office on Friday


Mercy Iowa City has sent a letter to patients warning them of a recent security breach.

The letter, signed by Mercy Privacy Officer Kelli Hale, says last summer the hospital learned that an unauthorized third party gained access to an employee’s email account that contained personal patient information. The unauthorized access occurred from May 15th to June 24th, 2020. Hale says once Mercy learned of the breach, it shut down access to the account.

On October 3rd, a security firm contracted by Mercy learned that the compromised email account included patient names, dates of birth, medical treatment information, and health insurance information. It did not include social security numbers.

Hale says Mercy has no reason to believe any of the patient information has been misused or even viewed by any unauthorized parties. She adds Mercy has taken steps to make sure such security breaches do not happen in the future.

Mercy’s attorneys told the Iowa Attorney General’s Office on Friday that over 60,000 patients may have been affected and have received letters. Affected patients do not necessarily have to have been treated at the hospital during the time of the breach. One patient who was notified has told KCJJ he hasn’t been a patient at the hospital in over a year.

The letter to the Attorney General’s Office says Mercy became aware of the breach on June 24th after the account began sending out spam emails.