Company Details
mercyhealth-chp
14,071
79,056
62
mercy.com
0
MER_1765720
In-progress


Mercy Health Vendor Cyber Rating & Cyber Score
mercy.comAt Mercy Health, we understand that every family is a universe. A network of people who love, and support, and count on one other to be there. Everybody means the world to someone and we are committed to care for others so they can be there for the ones they love. With nearly 35,000 employees across regions of Ohio and Kentucky, we’re one of the largest health care systems in the country. At each of our more than 600 points of care, we deliver high-quality, compassionate care with one united purpose: to help our patients be well in mind, body and spirit.
Company Details
mercyhealth-chp
14,071
79,056
62
mercy.com
0
MER_1765720
In-progress
Between 750 and 799

Mercy Health Global Score (TPRM)XXXX

Description: Mercy Health Lorain Hospital Laboratory experienced HIPAA breach due to contractor invoice printing error. No actual or attempted access or misuse of patient or guarantor information has been discovered. Batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly. Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers.
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after that 655,000 patients health information were exposed as a result of an error made by one of its business associates. The compromised information included names, social security numbers, insurance and banking information, and some clinical data. Bon Secours conducted a two-month internal investigation of the incident, and offered a year of credit monitoring and identity theft protection services without charge.
Description: The California Office of the Attorney General disclosed a data breach affecting Bon Secours Health System, Inc. in August 2016. The incident occurred between April 18–21, 2016, when a third-party vendor, R-C Healthcare Management, inadvertently left files containing sensitive patient data exposed on the internet. The compromised information included names, health insurance details, Social Security numbers, and clinical records of unspecified individuals. The breach stemmed from misconfigured access controls, allowing unauthorized exposure of protected health information (PHI). While the exact number of affected patients was not specified, the exposure posed significant risks of identity theft, financial fraud, and privacy violations. The vendor’s negligence in securing the data led to potential long-term repercussions for the impacted individuals, including reputational harm to Bon Secours and regulatory scrutiny under healthcare data protection laws like HIPAA. No evidence of malicious exploitation was confirmed, but the unauthorized accessibility alone constituted a severe lapse in data security protocols.


No incidents recorded for Mercy Health in 2026.
No incidents recorded for Mercy Health in 2026.
No incidents recorded for Mercy Health in 2026.
Mercy Health cyber incidents detection timeline including parent company and subsidiaries

At Mercy Health, we understand that every family is a universe. A network of people who love, and support, and count on one other to be there. Everybody means the world to someone and we are committed to care for others so they can be there for the ones they love. With nearly 35,000 employees across regions of Ohio and Kentucky, we’re one of the largest health care systems in the country. At each of our more than 600 points of care, we deliver high-quality, compassionate care with one united purpose: to help our patients be well in mind, body and spirit.

At the heart of health care, you’ll find Kaiser Permanente. As the nation’s leading not-for-profit, integrated health plan, we make a difference in the lives of members, patients, and communities across the country. With 39 hospitals and more than 734 locations in eight states and the District of
From specializing in transplants and pediatric cancer to solving undiagnosed diseases, we know solving the most complex problems prepares us to solve any problem. We are committed to excellence in patient care, research, and medical education and training. We thrive on challenges, embrace collaborat

BJC Health System is one of the largest nonprofit health care organizations in the United States and the largest in the state of Missouri, serving urban, suburban, and rural communities across Missouri, southern Illinois, eastern Kansas, and the greater Midwest region. One of the largest employers i

As the only Idaho-based, not-for-profit health system, St. Luke’s Health System is dedicated to our mission “To improve the health of people in the communities we serve.” Today that means not only treating you when you’re sick or hurt, but doing everything we can to help you be as healthy as possibl

Baptist Health South Florida is the region’s largest not-for-profit healthcare organization with 12 hospitals, more than 29,000 employees, 4,500 physicians, and 200 outpatient centers, urgent care facilities, and physician practices spanning across Miami-Dade, Monroe, Broward, and Palm Beach countie
Sharp HealthCare is a not-for-profit health care system based in San Diego, California, with four acute care hospitals, three specialty hospitals, three medical groups and a health plan. We provide medical services in virtually all fields of medicine, including primary care, heart care, cancer, orth

Our purpose is to provide safe, high quality health and personal social services to the population of Ireland. Our vision is a healthier Ireland with a high quality health service valued by all. Our Workforce The health service is the largest employer in the state with over 110,000 whole time equ

R1 is the leader in healthcare revenue management, helping providers achieve new levels of performance through smart orchestration. A pioneer in the industry, R1 created the first Healthcare Revenue Operating System: a modular, intelligent platform that integrates automation, AI, and human expertise

The Cigna Group is a global health company committed to creating a better future built on the vitality of every individual and every community. We relentlessly challenge ourselves to partner and innovate solutions for better health. The Cigna Group includes products and services marketed under Cig
.png)
If you were affected by the Orthopaedic Institute of Western Kentucky data breach, you may be entitled to compensation.
As healthcare organisations continue to be a prime target for hackers, OpenAI's announcement of ChatGPT Health delivers another challenge in...
Looking for a college major that will help you stand out from the crowd and succeed in your career? Here's where to start.
For the 22nd year in a row, Mercy was named one of the nation's most technologically advanced health care organizations, earning prestigious...
In honor of Cybersecurity Awareness Month, we're spotlighting the 72 forward-thinking CISOs and CSOs who have taken on...
Crash that hit apps and websites around world demonstrates 'urgent need for diversification in cloud computing'
The Benchmark Security Awards celebrate Australian security leaders for their work in driving effective cyber programs in Australian...
More than 60 health systems, insurers and technology companies have agreed to work together on improving medical data sharing as part of an...
The Navy's Military Sealift Command is modernizing its IT infrastructure and consolidating data centers to improve health care and save costs.

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of Mercy Health is https://www.mercy.com.
According to Rankiteo, Mercy Health’s AI-generated cybersecurity score is 769, reflecting their Fair security posture.
According to Rankiteo, Mercy Health currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, Mercy Health has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
According to Rankiteo, Mercy Health is not certified under SOC 2 Type 1.
According to Rankiteo, Mercy Health does not hold a SOC 2 Type 2 certification.
According to Rankiteo, Mercy Health is not listed as GDPR compliant.
According to Rankiteo, Mercy Health does not currently maintain PCI DSS compliance.
According to Rankiteo, Mercy Health is not compliant with HIPAA regulations.
According to Rankiteo,Mercy Health is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Mercy Health operates primarily in the Hospitals and Health Care industry.
Mercy Health employs approximately 14,071 people worldwide.
Mercy Health presently has no subsidiaries across any sectors.
Mercy Health’s official LinkedIn profile has approximately 79,056 followers.
Mercy Health is classified under the NAICS code 62, which corresponds to Health Care and Social Assistance.
Yes, Mercy Health has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/mercy-health.
Yes, Mercy Health maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/mercyhealth-chp.
As of March 30, 2026, Rankiteo reports that Mercy Health has experienced 3 cybersecurity incidents.
Mercy Health has an estimated 32,295 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with public disclosure via california office of the attorney general..
Title: Bon Secours Health System Data Breach
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after 655,000 patients health information were exposed as a result of an error made by one of its business associates.
Type: Data Breach
Title: Mercy Health Lorain Hospital Laboratory HIPAA Breach
Description: Mercy Health Lorain Hospital Laboratory experienced a HIPAA breach due to a contractor invoice printing error. Batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly. Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers. No actual or attempted access or misuse of patient or guarantor information has been discovered.
Type: HIPAA Breach
Attack Vector: Invoice Printing Error
Vulnerability Exploited: Human Error
Title: Bon Secours Health System, Inc. Data Breach (2016)
Description: The California Office of the Attorney General reported a data breach involving Bon Secours Health System, Inc. on August 12, 2016. The breach, which occurred between April 18, 2016, and April 21, 2016, was due to files containing patient information being inadvertently left accessible via the internet by the vendor R-C Healthcare Management, potentially affecting the names, health insurance information, social security numbers, and clinical information of unspecified individuals.
Date Detected: 2016-04-21
Date Publicly Disclosed: 2016-08-12
Type: Data Breach
Attack Vector: Inadvertent Exposure (Misconfigured Internet-Accessible Files)
Common Attack Types: The most common types of attacks the company has faced is Breach.

Data Compromised: Names, Social security numbers, Insurance information, Banking information, Clinical data

Data Compromised: Names, Street addresses, Social security numbers

Data Compromised: Names, Health insurance information, Social security numbers, Clinical information
Identity Theft Risk: High (PII and SSNs exposed)
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Information, Financial Information, Clinical Data, , Names, Street Addresses, Social Security Numbers, , Personally Identifiable Information (Pii), Protected Health Information (Phi) and .

Entity Name: Bon Secours Health System
Entity Type: Healthcare Provider
Industry: Healthcare
Location: Marriottsville, Md.
Customers Affected: 655000

Entity Name: Mercy Health Lorain Hospital Laboratory
Entity Type: Healthcare
Industry: Healthcare
Location: Lorain, Ohio

Entity Name: Bon Secours Health System, Inc.
Entity Type: Healthcare Provider
Industry: Healthcare
Location: California, USA (and other regions where Bon Secours operates)
Customers Affected: Unspecified (patients)

Entity Name: R-C Healthcare Management
Entity Type: Vendor
Industry: Healthcare Management

Communication Strategy: Public disclosure via California Office of the Attorney General

Type of Data Compromised: Personal information, Financial information, Clinical data
Number of Records Exposed: 655000
Sensitivity of Data: High

Type of Data Compromised: Names, Street addresses, Social security numbers
Sensitivity of Data: High

Type of Data Compromised: Personally identifiable information (pii), Protected health information (phi)
Sensitivity of Data: High
Data Exfiltration: Potential (files left accessible via internet)
Personally Identifiable Information: NamesSocial Security NumbersHealth Insurance InformationClinical Information

Regulations Violated: HIPAA

Regulations Violated: Potential HIPAA (Health Insurance Portability and Accountability Act) violations, California Data Breach Notification Law (if applicable),
Regulatory Notifications: California Office of the Attorney General

Source: California Office of the Attorney General
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney General.

Investigation Status: Internal investigation conducted for two months
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public disclosure via California Office of the Attorney General.

Customer Advisories: Offered a year of credit monitoring and identity theft protection services without charge
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Offered a year of credit monitoring and identity theft protection services without charge.

Root Causes: Human Error

Root Causes: Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet.
Most Recent Incident Detected: The most recent incident detected was on 2016-04-21.
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2016-08-12.
Most Significant Data Compromised: The most significant data compromised in an incident were names, social security numbers, insurance information, banking information, clinical data, , Names, Street Addresses, Social Security Numbers, , Names, Health Insurance Information, Social Security Numbers, Clinical Information and .
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were insurance information, Social Security Numbers, social security numbers, banking information, Clinical Information, Street Addresses, Health Insurance Information, clinical data, Names and names.
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 655.0.
Most Recent Source: The most recent source of information about an incident is California Office of the Attorney General.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Internal investigation conducted for two months.
Most Recent Customer Advisory: The most recent customer advisory issued was an Offered a year of credit monitoring and identity theft protection services without charge.
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Human Error, Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet..
.png)
A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.