Company Details
bon-secours-mercy-health-system
30,908
44,223
62
bsmhealth.org
0
BON_2610667
In-progress

Bon Secours Mercy Health Company CyberSecurity Posture
bsmhealth.orgOn September 1, 2018 Bon Secours Health System and Mercy Health combined to become the United States’ fifth largest Catholic health care ministry and one of the nation’s 20 largest health care systems. With 48 hospitals, thousands of providers, over 1,000 points of care and over 60,000 employees Bon Secours Mercy Health serves communities across seven states and Ireland. We are dedicated to continually improving health care quality, safety and cost effectiveness. Our hospitals, care sites and clinicians are recognized for clinical and operational excellence. By utilizing robust measurement and reporting processes, we hold ourselves accountable for enhancing care and improving outcomes for our patients, residents and clients.
Company Details
bon-secours-mercy-health-system
30,908
44,223
62
bsmhealth.org
0
BON_2610667
In-progress
Between 750 and 799

BSMH Global Score (TPRM)XXXX

Description: The California Office of the Attorney General disclosed a data breach affecting **Bon Secours Health System, Inc.** in August 2016. The incident occurred between **April 18–21, 2016**, when a third-party vendor, **R-C Healthcare Management**, inadvertently left files containing sensitive patient data exposed on the internet. The compromised information included **names, health insurance details, Social Security numbers, and clinical records** of unspecified individuals. The breach stemmed from misconfigured access controls, allowing unauthorized exposure of protected health information (PHI). While the exact number of affected patients was not specified, the exposure posed significant risks of identity theft, financial fraud, and privacy violations. The vendor’s negligence in securing the data led to potential long-term repercussions for the impacted individuals, including reputational harm to Bon Secours and regulatory scrutiny under healthcare data protection laws like **HIPAA**. No evidence of malicious exploitation was confirmed, but the unauthorized accessibility alone constituted a severe lapse in data security protocols.
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after that 655,000 patients health information were exposed as a result of an error made by one of its business associates. The compromised information included names, social security numbers, insurance and banking information, and some clinical data. Bon Secours conducted a two-month internal investigation of the incident, and offered a year of credit monitoring and identity theft protection services without charge.
Description: Mercy Health Lorain Hospital Laboratory experienced HIPAA breach due to contractor invoice printing error. No actual or attempted access or misuse of patient or guarantor information has been discovered. Batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly. Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers.


No incidents recorded for Bon Secours Mercy Health in 2025.
No incidents recorded for Bon Secours Mercy Health in 2025.
No incidents recorded for Bon Secours Mercy Health in 2025.
BSMH cyber incidents detection timeline including parent company and subsidiaries

On September 1, 2018 Bon Secours Health System and Mercy Health combined to become the United States’ fifth largest Catholic health care ministry and one of the nation’s 20 largest health care systems. With 48 hospitals, thousands of providers, over 1,000 points of care and over 60,000 employees Bon Secours Mercy Health serves communities across seven states and Ireland. We are dedicated to continually improving health care quality, safety and cost effectiveness. Our hospitals, care sites and clinicians are recognized for clinical and operational excellence. By utilizing robust measurement and reporting processes, we hold ourselves accountable for enhancing care and improving outcomes for our patients, residents and clients.

Founded in 1866, University Hospitals serves the needs of patients through an integrated network of 23 hospitals (including 5 joint ventures), more than 50 health centers and outpatient facilities, and over 200 physician offices in 16 counties throughout northern Ohio. The system’s flagship quaterna

Fueled by our bold purpose to improve the health of humanity, we are transforming from a traditional health benefits organization into a lifetime trusted health partner. Our nearly 100,000 associates serve more than 118 million people, at every stage of health. We address a full range of needs wi

From a single medical centre to a performance-driven healthcare enterprise spread across more than 400+ medical establishments, including 15 hospitals, 120 clinics and 307 pharmacies in GCC and growing, Aster DM Healthcare has transitioned into being the leading healthcare authority across the Middl
SSM Health is a Catholic, not-for-profit, fully integrated health system dedicated to advancing innovative, sustainable, and compassionate care for patients and communities throughout the Midwest and beyond. The organization’s 40,000 team members and 13,900 providers are committed to fulfilling SSM

Nationwide Children’s is one of America's largest pediatric hospitals, an international leader in research and is ranked in all 10 specialties on U.S. News & World Report’s 2025-26 “America’s Best Children’s Hospitals” list. Our staff, comprised of 1,600 medical professionals and over 16,000 employe

With more than 170,000 staff and 228 hospitals, there are millions of ways we are enriching the health of the NSW community every day. In front of a patient, working in a kitchen, developing new treatments, or at a desk, each one of our staff is a vital member of the largest health organisat

NorthShore University HealthSystem, Swedish Hospital, Northwest Community Healthcare and Edward-Elmhurst Health are now united under one name: Endeavor Health. Together, we’re driven by our mission to help everyone in our communities be their best and our commitment to setting a new standard for he

At Johnson & Johnson, we believe health is everything. As a focused healthcare company, with expertise in Innovative Medicine and MedTech, we’re empowered to tackle the world’s toughest health challenges, innovate through science and technology, and transform patient care. All of this is possibl

Since its beginning in 1902, Cedars-Sinai has evolved to meet the healthcare needs of one of the most diverse regions in the nation, continually setting new standards for quality and innovation in patient care, research, teaching and community service. Today, Cedars-Sinai is widely known for its na
.png)
In honor of Cybersecurity Awareness Month, we're spotlighting the 72 forward-thinking CISOs and CSOs who have taken on...
Dozens of organizations, including 11 health systems, have agreed to work together to help improve the sharing of medical data across...
We're highlighting a new wave of CIOs, CTOs, and CISOs taking on pivotal leadership roles across healthcare, technology, finance, and beyond.
Enhance connected care with medtech innovations that align with health care provider challenges, driving industry progress and improving...
The hospital-focused telehealth and virtual care delivery company, which currently works with more than 70 health systems,...
AdventHealth has been named for the first time the top organization in…
Three Cincinnati groups received nearly $1 million in grant awards this week from the state to support tech research and more.
Ohio-based Bon Secours Mercy Health Inc. failed to protect the personal information of thousands of people that was exposed in a data breach.
Bon Secours Mercy Health reported to the South Carolina Department of Consumer Affairs that it had experienced a data breach.

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of Bon Secours Mercy Health is https://bsmhealth.org/.
According to Rankiteo, Bon Secours Mercy Health’s AI-generated cybersecurity score is 785, reflecting their Fair security posture.
According to Rankiteo, Bon Secours Mercy Health currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, Bon Secours Mercy Health is not certified under SOC 2 Type 1.
According to Rankiteo, Bon Secours Mercy Health does not hold a SOC 2 Type 2 certification.
According to Rankiteo, Bon Secours Mercy Health is not listed as GDPR compliant.
According to Rankiteo, Bon Secours Mercy Health does not currently maintain PCI DSS compliance.
According to Rankiteo, Bon Secours Mercy Health is not compliant with HIPAA regulations.
According to Rankiteo,Bon Secours Mercy Health is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Bon Secours Mercy Health operates primarily in the Hospitals and Health Care industry.
Bon Secours Mercy Health employs approximately 30,908 people worldwide.
Bon Secours Mercy Health presently has no subsidiaries across any sectors.
Bon Secours Mercy Health’s official LinkedIn profile has approximately 44,223 followers.
Bon Secours Mercy Health is classified under the NAICS code 62, which corresponds to Health Care and Social Assistance.
No, Bon Secours Mercy Health does not have a profile on Crunchbase.
Yes, Bon Secours Mercy Health maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/bon-secours-mercy-health-system.
As of December 21, 2025, Rankiteo reports that Bon Secours Mercy Health has experienced 3 cybersecurity incidents.
Bon Secours Mercy Health has an estimated 31,363 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with public disclosure via california office of the attorney general..
Title: Bon Secours Health System Data Breach
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after 655,000 patients health information were exposed as a result of an error made by one of its business associates.
Type: Data Breach
Title: Mercy Health Lorain Hospital Laboratory HIPAA Breach
Description: Mercy Health Lorain Hospital Laboratory experienced a HIPAA breach due to a contractor invoice printing error. Batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly. Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers. No actual or attempted access or misuse of patient or guarantor information has been discovered.
Type: HIPAA Breach
Attack Vector: Invoice Printing Error
Vulnerability Exploited: Human Error
Title: Bon Secours Health System, Inc. Data Breach (2016)
Description: The California Office of the Attorney General reported a data breach involving Bon Secours Health System, Inc. on August 12, 2016. The breach, which occurred between April 18, 2016, and April 21, 2016, was due to files containing patient information being inadvertently left accessible via the internet by the vendor R-C Healthcare Management, potentially affecting the names, health insurance information, social security numbers, and clinical information of unspecified individuals.
Date Detected: 2016-04-21
Date Publicly Disclosed: 2016-08-12
Type: Data Breach
Attack Vector: Inadvertent Exposure (Misconfigured Internet-Accessible Files)
Common Attack Types: The most common types of attacks the company has faced is Breach.

Data Compromised: Names, Social security numbers, Insurance information, Banking information, Clinical data

Data Compromised: Names, Street addresses, Social security numbers

Data Compromised: Names, Health insurance information, Social security numbers, Clinical information
Identity Theft Risk: High (PII and SSNs exposed)
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Information, Financial Information, Clinical Data, , Names, Street Addresses, Social Security Numbers, , Personally Identifiable Information (Pii), Protected Health Information (Phi) and .

Entity Name: Bon Secours Health System
Entity Type: Healthcare Provider
Industry: Healthcare
Location: Marriottsville, Md.
Customers Affected: 655000

Entity Name: Mercy Health Lorain Hospital Laboratory
Entity Type: Healthcare
Industry: Healthcare
Location: Lorain, Ohio

Entity Name: Bon Secours Health System, Inc.
Entity Type: Healthcare Provider
Industry: Healthcare
Location: California, USA (and other regions where Bon Secours operates)
Customers Affected: Unspecified (patients)

Entity Name: R-C Healthcare Management
Entity Type: Vendor
Industry: Healthcare Management

Communication Strategy: Public disclosure via California Office of the Attorney General

Type of Data Compromised: Personal information, Financial information, Clinical data
Number of Records Exposed: 655000
Sensitivity of Data: High

Type of Data Compromised: Names, Street addresses, Social security numbers
Sensitivity of Data: High

Type of Data Compromised: Personally identifiable information (pii), Protected health information (phi)
Sensitivity of Data: High
Data Exfiltration: Potential (files left accessible via internet)
Personally Identifiable Information: NamesSocial Security NumbersHealth Insurance InformationClinical Information

Regulations Violated: HIPAA

Regulations Violated: Potential HIPAA (Health Insurance Portability and Accountability Act) violations, California Data Breach Notification Law (if applicable),
Regulatory Notifications: California Office of the Attorney General

Source: California Office of the Attorney General
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney General.

Investigation Status: Internal investigation conducted for two months
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public disclosure via California Office of the Attorney General.

Customer Advisories: Offered a year of credit monitoring and identity theft protection services without charge
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Offered a year of credit monitoring and identity theft protection services without charge.

Root Causes: Human Error

Root Causes: Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet.
Most Recent Incident Detected: The most recent incident detected was on 2016-04-21.
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2016-08-12.
Most Significant Data Compromised: The most significant data compromised in an incident were names, social security numbers, insurance information, banking information, clinical data, , Names, Street Addresses, Social Security Numbers, , Names, Health Insurance Information, Social Security Numbers, Clinical Information and .
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Street Addresses, Names, social security numbers, Clinical Information, insurance information, clinical data, names, Social Security Numbers, banking information and Health Insurance Information.
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 655.0.
Most Recent Source: The most recent source of information about an incident is California Office of the Attorney General.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Internal investigation conducted for two months.
Most Recent Customer Advisory: The most recent customer advisory issued was an Offered a year of credit monitoring and identity theft protection services without charge.
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Human Error, Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet..
.png)
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques.
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration.
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space.

Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.