Analecta Cyber Company Blog: Data-capturing virus discovered by Mercy Hospital in Iowa City

2016-04-13

Data-capturing virus discovered by Mercy Hospital in Iowa City

Mercy Hospital is a private non-profit Roman Catholic hospital located in Iowa City, Iowa. It is one of only three hospitals in the city, thus serves a major part of the city's population.


Just in the latter part of the first quarter, Mercy released a statement disclosing that sensitive information of approximately 15,000 patient may have been compromised. The likely cause was a computer virus that may have allowed attackers to gather data without detection.

The hospital received information from law enforcement on January 29 of a possible breach in their system with a potential computer virus infection. The hospital immediately hired a leading computer forensics firm to help it carry out an investigation of the computer systems. Results of the investigations revealed that a virus had infected some of the hospital’s computers on January 26, 2016.

Patients notified

The hospital notified every patient that may have been affected with a mailed notice. They were also informed on what possible sensitive information the hackers may have accessed. These included their name, address, birth date, medical diagnoses and treatment information. Their health insurance details, including policy number and provider name, also may have been compromised. Additionally, as a result of the virus, a number of Social Security numbers may have been accessed.

The number of affected patients is considered to be a small percentage of the hospital’s total patient population. Anyone who had previously visited either Iowa City’s Mercy Hospital or Mercy Clinic for treatment was considered likely affected by the breach.

The detection of this virus has encouraged Mercy to re-evaluate security protections, protocols, and technical safeguards. They have expressed a consistent desire of improving security practices in their hospitals to better protect every patient's health data. Currently, a police investigation into the data breach remains open. Mercy Hospital has not received any reports of misuse of the compromised data. Nevertheless, authorities cannot rule out data theft.

In a matter of weeks, five hospitals in the United States have reported cyberattacks, including some ransomware attacks. In the case of Mercy Hospital, the attacker's aim was to access and steal sensitive data and not hold data hostage in exchange for ransom.

All patients were advised to take measures in securing their accounts. Given the fact that insurance information has potentially been compromised, they were also advised to check Explanation of Benefits (EOB) statements for signs of fraudulent activity. Also, it would be helpful if they would consider placing fraud alerts on their credit files.