On June 2, 2023, MercyOne Clinton (“MercyOne,” “MercyOne Clinics”) filed a notice of data breach with the Attorney General of Massachusetts after learning that confidential patient information was leaked following a cyberattack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, dates of birth, driver’s license numbers, state identification numbers, Social Security numbers, financial account information, and protected health information. After confirming that consumer data was leaked, MercyOne began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.

If you received a data breach notification from MercyOne, it is essential you understand what is at risk and what you can do about it. As a healthcare provider, MercyOne possesses a vast amount of highly sensitive patient data. This makes the company a prime target for hackers looking to steal patient data in hopes of committing identity theft and other frauds. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the MercyOne Clinics data breach, please see our recent piece on healthcare data breaches here.

What We Know So Far About the MercyOne Clinics Breach

News of the MercyOne Clinics data breach is still fresh; however, what we know at this point comes from the company’s filing with the Attorney General of Massachusetts. According to this source, on April 4, 2023, MercyOne experienced a network disruption impacting a portion of the company’s computer network. In response, MercyOne retained a team of cybersecurity experts to assist with the company’s investigation.

The MercyOne investigation confirmed that an unauthorized party was able to access parts of the company’s computer system between March 7, 2023 and April 4, 2023, which is the day the company discovered the incident. It was later determined that some of the files that were subject to unauthorized access contained confidential patient information.

Upon discovering that sensitive consumer data was made available to an unauthorized party, MercyOne Clinics began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, date of birth, driver’s license number, state identification number, Social Security number, financial account information, and protected health information.

On June 7, 2023, MercyOne Clinics sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About MercyOne

Founded in 1893, MercyOne is a healthcare system based out of Cedar Rapids, Iowa. MercyOne operates over 300 care locations across Iowa, including 18 medical centers and 23 affiliated organizations. MercyOne serves more than 4.1 million patients each year. MercyOne Clinics employs more than 20,000 people and generates approximately $1.5 billion in annual revenue.