Cyber Incident Victim: Mercy Iowa City
Date:
Jan 2016
Location:
United States of America
Summary
Mercy Iowa City experienced a cybersecurity incident involving malware infection on its systems, discovered through a law enforcement alert. The hospital promptly secured affected systems and initiated an investigation with a forensics firm, determining that the malware targeted patient data. Compromised information included demographic details, clinical records, insurance data, and some Social Security numbers, though no evidence of misuse was found. Approximately 15,000 patients were notified, with a dedicated call center established for inquiries. The organization enhanced its technical safeguards following the incident to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 29, 2016, Mercy Iowa City and Mercy Clinic were notified by law enforcement that a computer virus had potentially infected some of their systems three days earlier, on January 26. The healthcare organization immediately initiated security measures to isolate and secure affected computer systems. Mercy launched an internal investigation and engaged a leading forensics firm to assist in determining the scope and nature of the malware infection. The forensic analysis confirmed that specific computers within Mercy's network had been compromised by malware specifically engineered to capture personal data. While investigators found no evidence that patient information had been misused following the breach, Mercy acknowledged it could not definitively rule out unauthorized access to patient data through external channels. The malware's presence created a potential exposure window during which sensitive information might have been exfiltrated.
The investigation revealed that compromised data could include patient demographic details (names, dates of birth, addresses), clinical information (treatment records, diagnoses, prescribed medications), and health insurance particulars (insurer names, policy numbers). A subset of records also potentially exposed Social Security numbers. Mercy clarified that not all patients of the hospital or affiliated clinics were impacted by this incident. On March 25, 2016, Mercy began mailing notification letters to affected individuals, later confirmed to total 15,000 patients according to a March 28 update. The organization established a dedicated call center operational from March 25 onward, instructing patients who hadn't received letters by April 11 to contact them for verification. Mercy implemented enhanced technical safeguards following the incident to strengthen existing security protocols, though specific mitigation details were not publicly disclosed. No further evidence of data misuse emerged in Mercy's subsequent disclosures regarding the breach.