Mercy Health Love County Hospital Breach Potentially Impacts 13,000 Patients’ PHI

Mercy Health Love County Hospital in Oklahoma had a data breach potentially impacting over 13,000 patients. On June 23, 2017, the hospital found out that an employee stole both laptop computer and paper documents from a hospital’s storage unit. As stated in the breach notice, the health records of 10 patients were obtained from the storage unit together with the laptop.

The Love County Sheriff’s Office first investigated the theft of PHI. It was reported that the previous employee utilized the stolen data to fraudulently get credit cards using the names of the patients. Another person also helped the thief do his fraudulent act.

Although Mercy Health had around 60 days to alert patients regarding breach following the HIPAA Rules, all ten patients had been informed right away. Mercy Health is working together with the Love County Sherriff’s Office, the U.S. Secret Service and the United States Postal Services in investigating the breach.

Mercy Health mentioned in its press release that no report had been received that suggest unauthorized persons viewed or acquired the information of the ten patients, Nevertheless  Mercy Health is updating the public regarding the incident. In addition, all patients affected by the breach were provided 12 months of credit monitoring and identity theft repair services for free.

Richard Barker, Mercy Health Love County Hospital and Clinic Administrator said that they were taking steps to safeguard all patient data to prevent similar incidents from occurring.”

Though it would seem that only the information of 10 patients were obtained, the report handed over to the Department of Health and Human Services’ Office for Civil Rights reveals that a total of 13,004 paper and film records were affected by the breach.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

It is presently not clear whether the storage unit did have the PHI of 13,004 patients, but only 10 patients’ records were taken by the unauthorized person, or if there was another incident. Further information will be posted regarding this incident as soon as something becomes available.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/