Mercy Health Data Breach Affects 1,000 Patients

A data breach at Mercy Health has impacted nearly 1,000 patients.

The non-profit healthcare system in west Michigan, discovered that some protected health information (PHI) may have been exposed after realising patient data was stored on a private server that was used for other purposes, such as online scheduling and check-ins. As the information was saved on this private server, it was possible for individuals to access the data without having their identity authenticated.

An investigation was launched into the incident. Mercy Health discovered that patient data may have been accessible on the private server for a number of years, stretching from March 25, 2019, back to some time in 2014. The data only pertained to individuals who who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan.

Investigators did not find evidence to suggest that an unauthorised individual accessed or stole the data, but could not rule out either act definitively.

The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security number and diagnosis information exposed.

Mercy Health has since stated that they have implemented measures to solve the issue and have secured all patient information.

Following HIPAA’s Breach Notification rules, Mercy Health has reported the breach to the appropriate authorities. They have also sent all affected individuals breach notification letters.  

According to the breach summary on the HHS’ Office for Civil Rights website, the protected health information of 978 patients was exposed.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at