Skip to main content
photo of a Doctor

MediCopy & Deaconess Hospital Data Breach Investigation

Written by Joseph Lyon on . Posted in Data Breach.

If you received a data breach notification letter from Deaconess Health System, your personal and medical information may have been stolen by a criminal hacker. You may be searching for this incident under the MediCopy data breach or the Deaconess data breach.

Both names refer to the same event. MediCopy is the third-party vendor that was hacked, and Deaconess patients are the ones whose information was exposed. Understanding that distinction matters, because it affects who may be legally responsible for what happened to your data. Contact our data breach lawyers to investigate your claim. 

What Happened at MediCopy?

In January 2026, an unauthorized actor gained access to a cloud-based file sharing platform operated by MediCopy, a health information management company that handles the release of medical records on behalf of healthcare providers across the country. MediCopy serves as a release of information vendor for Deaconess Health System, managing the secure transfer of patient records to authorized parties such as insurers, attorneys, and other healthcare providers.

On January 13, 2026, the unauthorized actor accessed MediCopy’s platform and downloaded files containing patient information. MediCopy did not notify Deaconess of the breach until February 2, 2026, approximately three weeks after the intrusion took place. Deaconess then launched an investigation, notified relevant authorities, and began mailing letters to affected patients.

The breach allegedly affected patients at the following locations:

  • Deaconess Henderson Hospital in Henderson, Kentucky
  • Deaconess Union County Hospital in Morganfield, Kentucky
  • Affiliated clinics connected to both facilities

The breach did not affect Deaconess’s internal IT systems or its electronic medical records platform. It was limited entirely to MediCopy’s file sharing environment and only impacted patients whose records were part of an active release of information request at the time of the attack.

What Information Was Exposed at Deaconess Hospitals?

The types of data compromised varied by individual, but the MediCopy breach may have included:

  • Full names and dates of birth
  • Social Security numbers
  • Medical record numbers
  • Dates of service
  • Health insurance identification numbers
  • Medical records related to treatment received at Deaconess facilities

This is an extremely sensitive combination of personal and medical information. Social Security numbers combined with health records and insurance details creates real and lasting risk for identity theft, medical identity theft, and financial fraud. Many victims of breaches like this one do not discover the full consequences for months or even years after the initial exposure.

The Third-Party Vendor Problem

One of the most troubling aspects of both the MediCopy breach and the Deaconess breach is that many affected patients had no idea their records were stored on MediCopy’s platform at all. When you seek care at a hospital, you trust that institution with your most sensitive information. What most patients do not know is that their records are routinely shared with and managed by outside vendors operating behind the scenes on the hospital’s behalf.

This is an increasingly common pattern in healthcare data breaches. Criminals have learned that targeting one vendor with access to multiple health systems yields far more data than attacking a single hospital directly. Healthcare data breaches involving business associates and third-party vendors have increased dramatically in recent years, making incidents like this one entirely foreseeable.

MediCopy’s three-week delay between the initial intrusion and notifying Deaconess raises serious questions about whether the company met its legal obligations under HIPAA. Healthcare vendors that handle protected health information are required to maintain adequate security safeguards and to report breaches promptly. When they fail to do so, patients pay the price.

Why You Should Contact The Lyon Firm

At The Lyon Firm, we represent individuals and families whose private information has been compromised through data breaches caused by corporate negligence. We have handled cases involving healthcare vendors, hospital systems, and third-party data processors, and we know how to hold the responsible parties accountable.

We handle data breach cases on a contingency fee basis, meaning you pay nothing unless we recover compensation for you. Our team will review your situation at no charge, explain your rights in plain language, and help you understand whether you have a claim worth pursuing.

If you received a notification letter related to the MediCopy or Deaconess data breach, do not wait. Legal deadlines apply, and the sooner you act, the better positioned you will be. Contact The Lyon Firm today for a free consultation with an experienced data breach attorney.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.