Deaconess Health System data breach exposes PHI through a vendor

A data breach affecting Deaconess Health System exposed patient information after hackers accessed a third-party vendor’s system.

What happened

Deaconess Health System has disclosed a data security incident involving a third-party vendor that may have exposed sensitive patient information. The breach originated from MediCopy, a release-of-information provider used by the health system.

According to reports, an unauthorized actor gained access to MediCopy’s cloud-based file-sharing platform and downloaded files on January 13, 2026. The incident was later discovered on February 2, when the vendor alerted Deaconess.

The compromised data may include personally identifiable information (PII) and protected health information (PHI), such as names, Social Security numbers, dates of birth, medical record numbers, treatment details, and insurance information.

Following the discovery, both Deaconess and MediCopy launched an investigation, identified affected individuals, and began issuing notification letters. Impacted patients are being offered credit monitoring and identity protection services.

What was said

In its official breach notice, Deaconess noted that “MediCopy, notified us of a data security incident that involved some Deaconess patient information related to ROI requests.” After conducting an investigation, they “began a comprehensive review of the involved files to identify individuals whose information was included.”

Deaconess reassured its patients, noting that “The incident did not involve or impact any of Deaconess’s IT systems or our electronic medical record system,” suggesting that the exposure was limited to information handled externally.

“To help prevent something like this from happening again, MediCopy has implemented additional measures to further strengthen the security of its file sharing platform and the Deaconess information it maintains. We also reported the incident to the relevant agencies,” they said.

Why it matters

According to IBM, “In 2022, 20% of data breaches were linked to third parties.” This statistic shows how, even if internal security measures are strong, external vendors can still expose sensitive patient data.

The Deaconess Health System incident is a clear example of this growing risk. While its internal systems remained secure, a breach at a vendor handling patient records was enough to compromise PHI.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Why are third-party vendors a risk in healthcare?

Healthcare organizations often rely on vendors for services like billing and record sharing. If those vendors have weak security, they can become an entry point for cyberattacks.

How can healthcare organizations prevent similar breaches?

They can improve vendor oversight, regularly assess third-party risks, and adopt secure communication tools such as Paubox to better protect sensitive data.

Why would hackers target healthcare data?

Healthcare data is highly valuable because it contains a mix of personal, financial, and medical information that can be used for identity theft or fraud.