Mercyhealth announced Wednesday that some of its patients’ personal information might have been compromised last fall.
There is no evidence anyone’s information was misused, but an email security breach at a company that worked for Mercyhealth was discovered in December, according to a news release issued by Mercyhealth late Wednesday afternoon.
The company, OS Inc., had the information because it updated addresses of Medicare beneficiaries for Mercyhealth in 2015 and has handled Mercyhealth’s billing for dialysis services, the release states.
“The types of information potentially impacted by the incident did not include financial or clinical information. However, OS will be directly notifying potentially affected patients,” according to the release.
The information that might have been accessed includes names, dates of birth, dates of service, patient identification numbers, Social Security numbers in the form of an insurance identification number and, for a limited number of people, medical record numbers, the release states.
The release does not say how many people’s information was exposed. Mercyhealth officials were not immediately available for comment.
The release says Mercyhealth “recently” learned of the problem.
OS learned of “suspicious activity” in one employee’s email account around Dec. 21, and OS immediately changed the employee’s email credentials, notified law enforcement and launched an investigation, according to the release.
“OS also began working with forensic experts to determine the nature and scope of the suspicious activity,” according to the release, and on Feb. 20 the company confirmed that an “unauthorized individual gained access to the employee’s email account from Oct. 15, 2018, through Dec. 21, 2018, utilizing account credentials obtained through a phishing email campaign.”
Forensic experts were unable to confirm the specific messages or attachments within the email account that might have been subject to unauthorized access or acquisition, but OS began a review “to confirm the identities of the individuals whose information may have been accessible to the unauthorized individual,” the release states.
On May 21, OS provided Mercy a list of the patients whose information might have been accessible within the email account, according to the release.
Those being notified of the problem are “patients for whom OS has a valid mailing address,” according to the release.
Notifications will include steps people can take to protect themselves against potential fraud or identity theft, according to the release.
“In the current security environment, everyone should be regularly monitoring credit reports, account statements and benefit statements,” the release continues. “Suspicious activity should be reported to the entity with which the account is maintained and proper law enforcement authorities.”
OS has told Mercy that OS has taken action “to help prevent this type of incident from occurring in the future.”