Cyber Incident Victim: MercyOne Clinton Medical Center
Date:
Mar 2023
Location:
United States of America
Summary
MercyOne Clinton Medical Center experienced a cyberattack involving unauthorized network access over a month-long period, disrupting operations but not affecting patient care. The breach compromised sensitive data for 20,865 individuals, including personal identifiers, medical details, financial information, and insurance data. While no misuse was confirmed, the organization restored systems from backups but acknowledged unrecoverable data loss affecting patient reports and documents. Forensic analysis was conducted, technical safeguards were enhanced, and impacted individuals were offered credit monitoring and identity protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
MercyOne Clinton Medical Center experienced a network disruption on April 4, 2023, prompting an immediate investigation with third-party forensic specialists. The investigation revealed unauthorized access to certain portions of the clinic's network between March 7, 2023, and April 4, 2023. The breach did not disrupt patient care but necessitated restricted system access during remediation efforts. MercyOne initiated secure restoration of its network while conducting a review to determine the specifics of compromised data. Although the forensic analysis remained ongoing as of the May 12, 2023, notification, preliminary findings confirmed the exposure of patient information including names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, financial account details, medical record numbers, Medicare/Medicaid identifiers, treatment or diagnosis information, prescription data, billing records, and health insurance details. The incident affected 20,865 individuals across MercyOne’s clinics in Clinton, Iowa. Data had to be restored from backups, resulting in an inability to fully recover some patient information contained in reports and documents, which may have included the same categories of sensitive data.
MercyOne confirmed no evidence of actual misuse of the exposed information but notified affected individuals out of caution. The response included engaging third-party specialists to restore network security, implementing additional technical safeguards, and reviewing internal data protection policies. Efforts to recreate unrecoverable data were underway. The clinic offered 24-month complimentary credit monitoring and identity protection services through a dedicated assistance line. Patients were advised to review healthcare statements for inaccuracies and monitor financial accounts for suspicious activity. MercyOne recommended contacting credit bureaus to place fraud alerts or credit freezes and provided contact details for the Federal Trade Commission and state attorneys general for identity theft reporting. Restoration of the network continued post-incident to minimize service interruptions while preserving patient care operations.