Deaconess Health System Discloses Data Breach via Third-Party Vendor File-Sharing Platform

Deaconess Health System, a healthcare provider based in Indiana, reports a data breach involving its third-party release-of-information (ROI) vendor, MediCopy, a subsidiary of MRO Corp. 

The breach occurred on January 13, 2026, when an attacker accessed and downloaded files from a Box instance managed by MRO Corp, a cloud-based file-sharing platform used to process medical record requests. MRO Corp representatives initially disputed that their internal systems were compromised, but Deaconess clarified that the incident was limited to the cloud-based file-sharing software used for these transfers. 

Deaconess Health System's internal IT infrastructure and electronic medical records (EMR) remained secure. 

The compromised data includes:

• Social Security numbers
• Full names and dates of birth
• Health insurance identification numbers
• Medical record numbers
• Dates of services
• Medical records related to treatment received at Deaconess

The number of affected individuals is not disclosed. The vendor has since implemented additional security layers on its file-sharing platform to prevent similar incidents access. 

Deaconess reported the incident to relevant regulatory agencies, and is currently mailing notification letters to affected patients. The health system is providing complimentary credit monitoring and identity protection services to the affected individuals.

Security experts recommend that affected patients monitor their credit reports and insurance Explanation of Benefits (EOB) statements for any fraudulent medical claims or unauthorized accounts.