MercyOne, based in West Des Moines, Iowa, is facing a lawsuit for a May data breach in which an unauthorized party accessed its network, compromising the protected health information of 20,000 patients, Iowa Capital Dispatch reported June 15.
Tiffany Harris, who is a patient at MercyOne, filed the lawsuit alleging that the health system was negligent in protecting patients' data. Ms. Harris seeks unspecified damages and a court injunction that would "help ensure patient information is kept confidential and protected from any future hacks," according to the publication.
MercyOne posted a breach notification on May 12 stating that the unauthorized user accessed its network from March 7 to April 4.
Patient names, addresses, dates of birth, driver's license numbers, Social Security numbers, financial account information, treatment and condition information, diagnostic information, prescription-medicine information and billing information were among the information compromised.
"MercyOne Clinton Medical Group experienced a network disruption on April 4 that impacted certain systems. We began an investigation immediately with the assistance of third-party computer forensic specialists," a spokesperson for MercyOne told Becker's. "At MercyOne, we take any potential privacy and security incident seriously and follow all regulatory reporting requirements related to these types of matters. We continue to investigate the full nature and scope of this incident and we apologize for any inconvenience this may cause."