BSMH
Company Details
Linkedin ID:
bon-secours-mercy-health-system
Website:
Employees number:
30,908
Number of followers:
44,223
NAICS:
62
Industry Type:
Homepage:
bsmhealth.org
IP Addresses:
0
Company ID:
BON_2610667
Scan Status:
In-progress
Bon Secours Mercy Health Company CyberSecurity Posture
bsmhealth.org
On September 1, 2018 Bon Secours Health System and Mercy Health combined to become the United States’ fifth largest Catholic health care ministry and one of the nation’s 20 largest health care systems. With 48 hospitals, thousands of providers, over 1,000 points of care and over 60,000 employees Bon Secours Mercy Health serves communities across seven states and Ireland. We are dedicated to continually improving health care quality, safety and cost effectiveness. Our hospitals, care sites and clinicians are recognized for clinical and operational excellence. By utilizing robust measurement and reporting processes, we hold ourselves accountable for enhancing care and improving outcomes for our patients, residents and clients.
Bon Secours Mercy Health A.I CyberSecurity Scoring
BSMH Risk Score (AI oriented)Between 750 and 799
BSMH
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
BSMH Global Score (TPRM)XXXX
BSMH
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
BSMH Company CyberSecurity News & History
Past Incidents
3
Attack Types
1
Bon Secours Health System, Inc.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The California Office of the Attorney General disclosed a data breach affecting **Bon Secours Health System, Inc.** in August 2016. The incident occurred between **April 18–21, 2016**, when a third-party vendor, **R-C Healthcare Management**, inadvertently left files containing sensitive patient data exposed on the internet. The compromised information included **names, health insurance details, Social Security numbers, and clinical records** of unspecified individuals. The breach stemmed from misconfigured access controls, allowing unauthorized exposure of protected health information (PHI). While the exact number of affected patients was not specified, the exposure posed significant risks of identity theft, financial fraud, and privacy violations. The vendor’s negligence in securing the data led to potential long-term repercussions for the impacted individuals, including reputational harm to Bon Secours and regulatory scrutiny under healthcare data protection laws like **HIPAA**. No evidence of malicious exploitation was confirmed, but the unauthorized accessibility alone constituted a severe lapse in data security protocols.
Bon Secours
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after that 655,000 patients health information were exposed as a result of an error made by one of its business associates. The compromised information included names, social security numbers, insurance and banking information, and some clinical data. Bon Secours conducted a two-month internal investigation of the incident, and offered a year of credit monitoring and identity theft protection services without charge.
Mercy Health
Breach
Rankiteo Explanation
Attack without any consequences
Description: Mercy Health Lorain Hospital Laboratory experienced HIPAA breach due to contractor invoice printing error. No actual or attempted access or misuse of patient or guarantor information has been discovered. Batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly. Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers.
BSMH Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for BSMH
Incidents vs Hospitals and Health Care Industry Average (This Year)
No incidents recorded for Bon Secours Mercy Health in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Bon Secours Mercy Health in 2025.
Incident Types BSMH vs Hospitals and Health Care Industry Avg (This Year)
No incidents recorded for Bon Secours Mercy Health in 2025.
Incident History — BSMH (X = Date, Y = Severity)
BSMH cyber incidents detection timeline including parent company and subsidiaries
BSMH Company Subsidiaries
On September 1, 2018 Bon Secours Health System and Mercy Health combined to become the United States’ fifth largest Catholic health care ministry and one of the nation’s 20 largest health care systems. With 48 hospitals, thousands of providers, over 1,000 points of care and over 60,000 employees Bon Secours Mercy Health serves communities across seven states and Ireland. We are dedicated to continually improving health care quality, safety and cost effectiveness. Our hospitals, care sites and clinicians are recognized for clinical and operational excellence. By utilizing robust measurement and reporting processes, we hold ourselves accountable for enhancing care and improving outcomes for our patients, residents and clients.
Loading...
BSMH Similar Companies
Greater Paris University Hospitals - AP-HP
AP-HP (Greater Paris University Hospitals) is a European world-renowned university hospital. Its 39 hospitals treat 8 million people every year: in consultation, emergency, during scheduled or home hospitalizations. The AP-HP provides a public health service for everyone, 24 hours a day. This missi
UAB Medicine
As a nationally ranked academic medical center and one of Alabama’s largest employers, UAB Medicine is about teamwork, support, mentorship, and collaboration. Employees are empowered to lead, learn, and innovate as they deliver world-class care to every patient, every family, every time. When you ar
Memorial Healthcare System
Be at the heart of exceptional care. Team MHS Florida is an award-winning group of friends and colleagues at one of the largest not-for-profit health systems in the nation. We're 17,000 strong, advancing towards a brighter future together. We're passionate about the work we do, delivering deep, pe
ELSAN
ELSAN, groupe leader de l’hospitalisation privée en France, compte aujourd’hui plus de 28 000 collaborateurs et 7500 médecins libéraux qui exercent dans les 212 établissements et centres du groupe. Ils prennent en charge plus de 4,8 millions de patients par an. Notre mission : offrir à chac
Prisma Health is the largest not-for-profit health organization in South Carolina, serving more than 1.2 million patients annually. Our facilities in the Greenville and Columbia surrounding markets are dedicated to improving the health of all South Carolinians through improved clinical quality, acce
Bupa
Bupa's purpose is helping people live longer, healthier, happier lives and making a better world. We are an international healthcare company serving over 38 million customers worldwide. With no shareholders, we reinvest profits into providing more and better healthcare for the benefit of current an
Lifespan
Formed in 1994, Brown University Health (Formerly Lifespan) is a not-for-profit health system based in Providence, RI comprising three teaching hospitals of The Warren Alpert Medical School of Brown University: Rhode Island Hospital and its Hasbro Children's; The Miriam Hospital; and Bradley Hospita
Michigan Medicine
Michigan Medicine, based in Ann Arbor, Michigan, is part of one of the world’s leading universities. Michigan Medicine is a premier, highly ranked academic medical center and award-winning health care system with state-of-the-art facilities. Our vision is to create the future of health care throu
CVS Health
CVS Health is the leading health solutions company, delivering care like no one else can. We reach more people and improve the health of communities across America through our local presence, digital channels and over 300,000 dedicated colleagues – including more than 40,000 physicians, pharmacists,
.png)
BSMH CyberSecurity News
October 27, 2025 07:00 AM
71 CISOs On the Move
In honor of Cybersecurity Awareness Month, we're spotlighting the 72 forward-thinking CISOs and CSOs who have taken on...
July 31, 2025 07:00 AM
Here’s who’s pledged to improve medical data sharing
Dozens of organizations, including 11 health systems, have agreed to work together to help improve the sharing of medical data across...
June 08, 2025 07:00 AM
48 CIOs On the Move
We're highlighting a new wave of CIOs, CTOs, and CISOs taking on pivotal leadership roles across healthcare, technology, finance, and beyond.
April 16, 2025 07:00 AM
hellocare.ai scores $47M for AI-enabled virtual care for smart hospitals
The hospital-focused telehealth and virtual care delivery company, which currently works with more than 70 health systems,...
December 26, 2024 08:00 AM
Top 10 Tech Companies to Work for in Richmond in 2024
Richmond's tech industry is booming, contributing over 15% of local jobs and $12.8 billion annually. Top companies like Capital One, CarMax,...
October 21, 2024 07:00 AM
Bon Secours Mercy Health Hit With Class Action Over Data Breach
Ohio-based Bon Secours Mercy Health Inc. failed to protect the personal information of thousands of people that was exposed in a data breach.
October 11, 2024 07:00 AM
Bon Secours Mercy Health Data Breach Investigation
Strauss Borrelli PLLC, a leading data breach law firm, is investigating Bon Secours Mercy Health, regarding its recent data breach.
August 29, 2024 07:00 AM
How a provider-tech collab aims to refine patient monitoring
Bon Secours Mercy Health and Philips have launched a 10-year collaboration to standardize patient monitoring across its inpatient settings.
June 04, 2024 07:00 AM
Mercy Health Agrees to Pay $1.8 Million to Settle Insider Data Breach Lawsuit
Mercy Health has agreed to a $1.8 million settlement to resolve all claims related to a 2020 HIPAA compliance data breach that affected...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
BSMH CyberSecurity History Information
Official Website of Bon Secours Mercy Health
The official website of Bon Secours Mercy Health is https://bsmhealth.org/.
Bon Secours Mercy Health’s AI-Generated Cybersecurity Score
According to Rankiteo, Bon Secours Mercy Health’s AI-generated cybersecurity score is 785, reflecting their Fair security posture.
How many security badges does Bon Secours Mercy Health’ have ?
According to Rankiteo, Bon Secours Mercy Health currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Bon Secours Mercy Health have SOC 2 Type 1 certification ?
According to Rankiteo, Bon Secours Mercy Health is not certified under SOC 2 Type 1.
Does Bon Secours Mercy Health have SOC 2 Type 2 certification ?
According to Rankiteo, Bon Secours Mercy Health does not hold a SOC 2 Type 2 certification.
Does Bon Secours Mercy Health comply with GDPR ?
According to Rankiteo, Bon Secours Mercy Health is not listed as GDPR compliant.
Does Bon Secours Mercy Health have PCI DSS certification ?
According to Rankiteo, Bon Secours Mercy Health does not currently maintain PCI DSS compliance.
Does Bon Secours Mercy Health comply with HIPAA ?
According to Rankiteo, Bon Secours Mercy Health is not compliant with HIPAA regulations.
Does Bon Secours Mercy Health have ISO 27001 certification ?
According to Rankiteo,Bon Secours Mercy Health is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Bon Secours Mercy Health
Bon Secours Mercy Health operates primarily in the Hospitals and Health Care industry.
Number of Employees at Bon Secours Mercy Health
Bon Secours Mercy Health employs approximately 30,908 people worldwide.
Subsidiaries Owned by Bon Secours Mercy Health
Bon Secours Mercy Health presently has no subsidiaries across any sectors.
Bon Secours Mercy Health’s LinkedIn Followers
Bon Secours Mercy Health’s official LinkedIn profile has approximately 44,223 followers.
NAICS Classification of Bon Secours Mercy Health
Bon Secours Mercy Health is classified under the NAICS code 62, which corresponds to Health Care and Social Assistance.
Bon Secours Mercy Health’s Presence on Crunchbase
No, Bon Secours Mercy Health does not have a profile on Crunchbase.
Bon Secours Mercy Health’s Presence on LinkedIn
Yes, Bon Secours Mercy Health maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/bon-secours-mercy-health-system.
Cybersecurity Incidents Involving Bon Secours Mercy Health
As of December 11, 2025, Rankiteo reports that Bon Secours Mercy Health has experienced 3 cybersecurity incidents.
Number of Peer and Competitor Companies
Bon Secours Mercy Health has an estimated 30,929 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Bon Secours Mercy Health ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Bon Secours Mercy Health detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with public disclosure via california office of the attorney general..
Incident Details
Can you provide details on each incident ?
Title: Bon Secours Health System Data Breach
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after 655,000 patients health information were exposed as a result of an error made by one of its business associates.
Type: Data Breach
Title: Mercy Health Lorain Hospital Laboratory HIPAA Breach
Description: Mercy Health Lorain Hospital Laboratory experienced a HIPAA breach due to a contractor invoice printing error. Batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly. Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers. No actual or attempted access or misuse of patient or guarantor information has been discovered.
Type: HIPAA Breach
Attack Vector: Invoice Printing Error
Vulnerability Exploited: Human Error
Title: Bon Secours Health System, Inc. Data Breach (2016)
Description: The California Office of the Attorney General reported a data breach involving Bon Secours Health System, Inc. on August 12, 2016. The breach, which occurred between April 18, 2016, and April 21, 2016, was due to files containing patient information being inadvertently left accessible via the internet by the vendor R-C Healthcare Management, potentially affecting the names, health insurance information, social security numbers, and clinical information of unspecified individuals.
Date Detected: 2016-04-21
Date Publicly Disclosed: 2016-08-12
Type: Data Breach
Attack Vector: Inadvertent Exposure (Misconfigured Internet-Accessible Files)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach BON341622
Data Compromised: Names, Social security numbers, Insurance information, Banking information, Clinical data
Incident : HIPAA Breach MER21861222
Data Compromised: Names, Street addresses, Social security numbers
Incident : Data Breach BON158082125
Data Compromised: Names, Health insurance information, Social security numbers, Clinical information
Identity Theft Risk: High (PII and SSNs exposed)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Information, Financial Information, Clinical Data, , Names, Street Addresses, Social Security Numbers, , Personally Identifiable Information (Pii), Protected Health Information (Phi) and .
Which entities were affected by each incident ?
Incident : Data Breach BON341622
Entity Name: Bon Secours Health System
Entity Type: Healthcare Provider
Industry: Healthcare
Location: Marriottsville, Md.
Customers Affected: 655000
Incident : HIPAA Breach MER21861222
Entity Name: Mercy Health Lorain Hospital Laboratory
Entity Type: Healthcare
Industry: Healthcare
Location: Lorain, Ohio
Incident : Data Breach BON158082125
Entity Name: Bon Secours Health System, Inc.
Entity Type: Healthcare Provider
Industry: Healthcare
Location: California, USA (and other regions where Bon Secours operates)
Customers Affected: Unspecified (patients)
Incident : Data Breach BON158082125
Entity Name: R-C Healthcare Management
Entity Type: Vendor
Industry: Healthcare Management
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach BON158082125
Communication Strategy: Public disclosure via California Office of the Attorney General
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach BON341622
Type of Data Compromised: Personal information, Financial information, Clinical data
Number of Records Exposed: 655000
Sensitivity of Data: High
Incident : HIPAA Breach MER21861222
Type of Data Compromised: Names, Street addresses, Social security numbers
Sensitivity of Data: High
Incident : Data Breach BON158082125
Type of Data Compromised: Personally identifiable information (pii), Protected health information (phi)
Sensitivity of Data: High
Data Exfiltration: Potential (files left accessible via internet)
Personally Identifiable Information: NamesSocial Security NumbersHealth Insurance InformationClinical Information
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : HIPAA Breach MER21861222
Regulations Violated: HIPAA
Incident : Data Breach BON158082125
Regulations Violated: Potential HIPAA (Health Insurance Portability and Accountability Act) violations, California Data Breach Notification Law (if applicable),
Regulatory Notifications: California Office of the Attorney General
References
Where can I find more information about each incident ?
Incident : Data Breach BON158082125
Source: California Office of the Attorney General
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney General.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach BON341622
Investigation Status: Internal investigation conducted for two months
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public disclosure via California Office of the Attorney General.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach BON341622
Customer Advisories: Offered a year of credit monitoring and identity theft protection services without charge
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Offered a year of credit monitoring and identity theft protection services without charge.
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : HIPAA Breach MER21861222
Root Causes: Human Error
Incident : Data Breach BON158082125
Root Causes: Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet.
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2016-04-21.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2016-08-12.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were names, social security numbers, insurance information, banking information, clinical data, , Names, Street Addresses, Social Security Numbers, , Names, Health Insurance Information, Social Security Numbers, Clinical Information and .
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were social security numbers, clinical data, Street Addresses, names, Names, insurance information, banking information, Social Security Numbers, Health Insurance Information and Clinical Information.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 655.0.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is California Office of the Attorney General.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Internal investigation conducted for two months.
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Offered a year of credit monitoring and identity theft protection services without charge.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Human Error, Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet..
.png)
Latest Global CVEs (Not Company-Specific)
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 9.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Description
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.
Risk Information
cvss3
Base: 8.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.
Risk Information
cvss3
Base: 5.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=bon-secours-mercy-health-system' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
