Mercy I.C. notifies 15K patients about privacy breach

About 15,000 patients have been notified that a computer virus designed to capture personal data infected some of the hospital's computers in January, an official with Mercy Iowa City and Mercy Clinics in Iowa City said Monday.

"That's a small percentage" compared with the total number of patients the hospital serves, said Margaret Reese, interim director of marketing and community relations and president of the Mercy Hospital Foundation. She said she did not know the total number of patients, adding that "it would be a huge number when you consider all of the many services."

Mercy Iowa City on Friday announced that it was mailing letters to patients, notifying them of the breach of privacy incident that occurred Jan. 26. The news release said Mercy worked to secure the computer system and launched an internal investigation that included working with a "leading forensics firm."

The investigation determined that some computers were infected by the virus.

Information collected may have included patient demographic information, such as dates of birth and addresses; clinical information, such as treatment, diagnosis and medications; or health insurance information, including the insurer's name and policy number. In some instances, Social Security numbers may have been accessed, the release said.

Reese said Mercy has been working with federal law enforcement on its investigation. The hospital's release said current safeguards have been enhanced to protect sensitive data. Reese said she could not comment on what the enhancements were.

To date, there is no proof that any patient information has been used improperly, the hospital's release said.

Patients who have questions can call 844-787-6810 from 8 a.m. to 8 p.m. Monday through Friday. More information can be found on the Mercy website.

Reach Andy Davis at 319-887-5404 or at aldavis@press-citizen.com, and follow him on Twitter as @BylineAndyDavis.