A data breach at an Iowa hospital has exposed the Social Security numbers and private medical information of more than 60,000 patients.
Mercy Iowa City began notifying patients on November 13 of a data breach that occurred in spring 2020 after an employee's email account was accessed by a threat actor.
The hospital detected the breach on June 24 when the targeted account began sending out phishing emails and spam. An investigation revealed that the hacked account had been compromised between May 15 and June 24.
Security experts brought in to scrutinize the incident confirmed in October that sensitive patient data could have been accessed by the attacker.
Data exposed may have included names, Social Security numbers, driver's license numbers, and health insurance information.
Chicago-based Polsinelli law firm, representing the hospital, said that 60,473 Iowa residents may have been impacted by the security incident.
In a letter sent out to affected Iowa residents on the hospital's behalf, Bruce Radke of Polsinelli stated: "Mercy is not aware of any fraud or identity theft to any individual as a result of this incident. Nevertheless, because there was an email account compromise, Mercy searched the impacted account to determine if it contained any personal information that may have been viewed by the third party.
"Mercy determined that the compromised account contained certain personal information, including, depending on the person, their name, Social Security number, driver's license numbers, date of birth, medical treatment information, and health insurance information."
Mercy Iowa City is offering one year of complimentary identity theft protection services to patients whose driver's license numbers and Social Security numbers may have been compromised.
The hospital said that it is implementing a series of cybersecurity measures including multi-factor authentication to prevent any more breaches from happening.
"We have taken steps to reduce the risk of the type of incident occurring in the future, including enhancing our technical security measures," said Mercy's privacy officer, Kelli Hale.
This latest data spill is the second and worst breach to occur at Mercy Iowa City. In 2016, the acute care hospital reported a security breach that may have exposed the information of 15,625 patients.