Deaconess Health System Data Breach Exposes SSNs and Sensitive Medical Records of Patients

Deaconess Health System, a major nonprofit healthcare network headquartered in Evansville, Indiana, disclosed a data breach that originated through its Release of Information vendor, MediCopy. Deaconess operates 18 hospitals and serves communities across southwestern Indiana, western Kentucky and southeastern Illinois. The breach affected certain patients at two of the system's Kentucky hospitals and their surrounding clinics, though the total number of affected individuals has not been publicly disclosed.

Deaconess learned of the breach on Feb. 2, 2026, when MediCopy notified the company of a data security incident. The company reported the incident to relevant agencies and posted a notice of the incident on its website with details for affected patients.

What happened in the Deaconess Health System data breach

On Jan. 13, 2026, an unauthorized actor accessed MediCopy's cloud-based file sharing platform and downloaded files, according to the company's notification. The files contained Deaconess patient information related to Release of Information requests, which are formal processes through which patients or authorized parties obtain copies of medical records.

After learning of the incident, Deaconess began an investigation in coordination with MediCopy. The investigation confirmed that the unauthorized access and file download took place on Jan. 13, 2026. Deaconess then conducted a comprehensive review of the involved files to determine which individuals had their information included.

The breach was limited to certain patients of Deaconess Henderson Hospital in Henderson, Kentucky, and Deaconess Union County Hospital in Morganfield, Kentucky, along with their surrounding clinics. Only patients whose records were part of a Release of Information request were affected. The incident did not involve or impact any of Deaconess's own IT systems or its electronic medical record system, according to the notification.

The types of information exposed varied by individual but may have included names, Social Security numbers, dates of birth, medical record numbers, dates of service, health insurance identification numbers and medical records related to treatment received at Deaconess.

Deaconess Health System's response to the breach

In response to the breach, MediCopy implemented additional measures to strengthen the security of its file sharing platform and the Deaconess information it maintains, according to the notification. These changes are intended to help prevent a similar incident from occurring in the future.

Deaconess is mailing letters to patients whose information was involved in the breach. The company has arranged for affected patients to receive complimentary access to credit monitoring and identity protection services.

Deaconess has also set up a dedicated toll-free call center at 1-844-558-4567. The call center is available Monday through Friday between 9 a.m. and 5 p.m. Central Time.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze with the three major credit bureaus. Contact Equifax at 1-800-525-6285, Experian at 1-888-397-3742 and TransUnion at 1-800-680-7289 to help prevent unauthorized accounts from being opened.
• Request free credit reports at AnnualCreditReport.com. Review reports from all three bureaus for any accounts or activity that seem unfamiliar.
• Monitor Explanation of Benefits statements from your health insurer. Watch for claims or services you did not receive, which could be a sign of medical identity theft.
• Review bank and financial account statements regularly. Look for any unauthorized transactions or suspicious changes to personal information.
• Be cautious of phishing attempts that reference Deaconess Health System or this breach by name. Scammers may send emails, texts or phone calls posing as Deaconess or MediCopy to try to collect additional personal information.