It started as so many breaches do — with the compromise of an employee’s email account.
From May 15 until June 24, a threat actor accessed the account and used it to send spam and phishing emails. The breach was discovered on June 24.
Mercy Iowa City’s investigation, assisted by a forensics security firm. ultimately discovered that while there was no evidence of misuse of any personal information in the employee’s account, it did contain information on 92,795 individuals, 60,473 of whom are Iowa residents.
But are those individuals all patients, or are some employees? It is not yet clear and DataBreaches.net wrote to Mercy Iowa City to ask but has received no reply as yet, and this incident does not yet appear on HHS’s public breach tool.
According to the provider’s external counsel’s notification to Iowa, however, the types of information varied somewhat by person, but might have included their name, Social Security number, driver’s license number, date of birth, medical treatment information, and health insurance information. Those who had SSN or DL involved are being offered credit monitoring and identity theft protection services for 12 months.