MediCopy Data Breach Impacts Deaconess Health System

Deaconess Health System reported a data breach involving patient information shared with a third-party vendor, MediCopy, following unauthorized access to a cloud-based file-sharing platform.

Incident Overview

Deaconess Health System, based in Evansville, Indiana, disclosed a security incident affecting certain patients of Deaconess Union County Hospital in Morganfield, Kentucky and Deaconess Henderson Hospital in Henderson, Kentucky. The organization manages 18 hospitals throughout western Kentucky, southwestern Indiana, and southeastern Illinois.

The breach involved a third-party vendor relationship. Deaconess Health System had contracted with MediCopy, a company owned by MRO Corp, to manage release of information requests. In compliance with HIPAA laws, MediCopy notified Deaconess Health System of the incident on February 2, 2026.

Unauthorized Access Details

The investigation determined that an unauthorized actor accessed cloud-based file-sharing software managed or controlled by MediCopy on January 13, 2026. Files associated with release of information requests were downloaded during the incident.

No unauthorized access occurred within Deaconess Health System’s internal information technology systems or its electronic health record system. MRO’s spokesperson stated that the breach did not affect the MRO platform and the MediCopy systems.

Affected Information

Deaconess Health System conducted a review of the impacted data and identified multiple categories of information involved in the breach. The compromised data included: Names, birth dates, dates of service, Social Security numbers, medical record numbers, medical insurance information, medical records associated with treatment received at Deaconess Health System hospitals. The number of affected individuals has not been publicly disclosed.

Notification and Mitigation Actions

Deaconess Health System is issuing notification letters to affected individuals. The organization is also providing free credit monitoring and identity theft protection services. Additional security measures have been implemented to strengthen protections for the file-sharing platform.

Regulatory Reporting Status

Deaconess Health System confirmed that the incident has been reported to appropriate agencies. The breach is not yet published on the U.S. Department of Health and Human Services Office for Civil Rights breach portal.

Data breach reports are delayed in posting to the breach portal. While some breaches with reporting dates prior to February 26, 2026 have been added, no new entries were listed after that date as of March 25, 2026.

Image credit: bixpicture, Adobestock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism and many years experience.
Twitter
LinkedIn