On April 2, 2024, Mercer County Joint Township Community Hospital, also known as Mercer Health, discovered unauthorized activity within a limited number of devices on its network. Upon discovering the incident, Mercer Health immediately launched an investigation, engaged a national cybersecurity firm, and reported the breach to law enforcement authorities.
The breach affected approximately 88,541 individuals across the United States, including 21 residents of Massachusetts.
The types of information exposed in the breach included personally identifiable information (PII) such as names, physical addresses, email addresses, phone numbers, dates of birth, Social Security numbers, driver's license or state ID numbers, and financial account details including credit and debit card numbers. Additionally, protected health information (PHI) such as medical records and health insurance information was also compromised.
An investigation by third-party forensic specialists determined that the unauthorized access occurred between April 2 and April 3, 2024. Following this, Mercer Health initiated a comprehensive review of the potentially affected data to identify impacted individuals and the specific information involved. Due to the volume of data and in an effort to expedite notification, Mercer Health decided to notify all individuals whose personal or protected health information was stored on its network at the time of the breach.
Mercer Health took actions to mitigate the impact and strengthen its cybersecurity measures and reported the breach to the appropriate authorities, including the Massachusetts Attorney General's office on March 28, 2025, and the U.S. Department of Health and Human Services on March 26, 2025.
Mercer Health mailed notification letters to affected individuals on February 21, 2025, detailing the incident, outlining the specific personal information that may have been compromised, and providing guidance on how to protect themselves. The hospital also established a dedicated call center, available Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern Time, at 877-723-0509, to answer questions and provide additional information.
Affected individuals are advised to closely monitor their financial accounts and credit reports for unusual activity. Mercer Health recommends obtaining free annual credit reports from the three major credit bureaus—Equifax, Experian, and TransUnion—by visiting AnnualCreditReport.com or calling 1-877-322-8228.
Additionally, individuals may place fraud alerts or credit freezes on their credit files by contacting the three major credit bureaus directly. Mercer Health also suggests obtaining an Identity Protection PIN (IP PIN) from the IRS to prevent tax-related identity theft. Instructions for obtaining an IP PIN can be found on the IRS Identity Protection PIN webpage.
Further information about this data breach can be found in the official notices filed with the Massachusetts Attorney General's office and the U.S. Department of Health and Human Services. Mercer Health also published a detailed consumer notice on its official website.