Cyber Incident Victim: Mercy Iowa City
Date:
May 2020
Location:
United States of America
Summary
A healthcare provider experienced a breach when an unauthorized actor compromised an employee's email account, using it to send spam and phishing messages over approximately one month before discovery. The investigation found no evidence of personal information misuse but confirmed the account contained data on over 92,000 individuals, including names, Social Security numbers, driver’s license numbers, dates of birth, medical details, and health insurance information. Impacted individuals with exposed Social Security or driver’s license numbers were offered credit monitoring and identity theft protection services for one year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 15, 2020, an unauthorized actor gained access to an employee email account at Mercy Iowa City, initiating a breach that persisted undetected until June 24, 2020. The threat actor utilized the compromised account to distribute spam and phishing emails during this 40-day period. The organization discovered the intrusion on June 24 and promptly engaged a forensic security firm to assist with investigation and containment. While the immediate malicious activity observed involved email misuse for spam and phishing campaigns, the forensic examination focused on determining whether sensitive data within the account had been accessed or exfiltrated. Mercy Iowa City did not publicly disclose the specific method of initial compromise or whether multi-factor authentication was enabled on the affected account. The incident timeline indicates a six-week window between intrusion and detection, during which the attacker maintained persistent access to the email environment. No evidence suggested the attacker targeted specific medical records or clinical systems beyond the email account itself. Containment measures implemented upon discovery included securing the compromised account and terminating unauthorized access.
The forensic investigation revealed the employee's email account contained protected health information and personally identifiable information for 92,795 individuals, including 60,473 Iowa residents. While investigators found no evidence of actual misuse or theft of the exposed data, the compromised information varied by individual and potentially included names, Social Security numbers, driver's license numbers, dates of birth, medical treatment details, and health insurance information. Mercy Iowa City's external counsel notified Iowa authorities about the breach, confirming that individuals whose Social Security numbers or driver's license numbers were exposed would receive 12 months of complimentary credit monitoring and identity theft protection services. The organization did not clarify whether affected individuals were exclusively patients or included employees, nor did the breach appear on HHS's public breach portal at the time of reporting. Notification letters were sent to all impacted parties detailing the scope of exposed information specific to each recipient and outlining available remediation services.