Mercy Health Love County Hospital Breach: Private Data of Almost 13k People Under Threat After

A HIPAA violation at Mercy Health Love County Hospital may have exposed the private information of in excess pf 13,000 patients in Oklahoma.

On June 23, 2017, the health centre found that a member of staff employee had stolen a laptop computer and paper records from a storage unit used by the facility. The breach notice issued by Mercy Health said that the records of 10 patients were taken from the storage unit along with the laptop.

The Love County Sheriff’s Office investigated the theft of PHI and revealed that the former employee had used the stolen data to fraudulently obtain credit cards in the patients’ names. A second person is also understood to have been involved in the scam.

Mercy Health contacted the ten affected patients immediately, despite the fact that they had up to 60 days to do so under HIPAA Rules, all ten patients were notified immediately. Mercy Health is working with the Love County Sherriff’s Office, the United States Postal Services, and the U.S. Secret Service which are all examining the attack.

In the official breach notice Mercy Health commented, “Although there is no evidence that files belonging to patients aside from the ten patients originally identified were accessed or acquired without authorization, Mercy is nonetheless informing the public of the incident.” All affected individuals have been offered 12 free months of credit monitoring and identity theft repair services.

Richard Barker, Mercy Health Love County Hospital and Clinic Administrator, remarked “We are taking steps to secure all patient information to prevent anything similar from happening.”

A report filed to the Department of Health and Human Services’ Office for Civil Rights says a breach has been experienced involving 13,004 paper/film records, even though it appears that the private records of only 10 patients were stolen,

It is still has not been shown if the storage unit contained the records of 13,004 patients, but only 10 patients’ files were obtained, or if this is a separate attack. HIPAA Journal made contact with Mercy Health for further clarification but has yet to receive an official response.

This article will be updated with additional information as it becomes available.