Goshen Health in Indiana has begun informing 9,160 patients regarding the potential compromise of their protected health information (PHI) because of a phishing-related email breach that happened in August 2018.
When the breach was discovered, Goshen Health secured the compromised email accounts and investigated the incident. During that time, it was determined that the security breach did not require patient notifications since there seemed to be no compromise of PHI. But on August 1, 2019, it was discovered that the PHI of some patients was found in the compromised email accounts and so sending notifications letters to patients became necessary.
The breach occurred from August 2, 2018 to August 13, 2018. An unidentified, unauthorized person accessed two Goshen colleagues’ email accounts. After the breach, Goshen Health upgraded its email security defenses and used more forensic tools and technology for the re-evaluation of the breach.
Third-party forensic specialists came in November 2018 to re-evaluate the breach, but they did not find any evidence of unauthorized access or theft of PHI. The evaluation included a comprehensive analysis of the compromised email accounts to find out if they contained sensitive patient information. For about a year up to the day when the first breach of account occurred, they found the accounts to contain some patients’ PHI.
The following PHI were potentially compromised in the accounts: names, dates of birth, addresses, medical insurance details, doctors’ names, limited clinical data, Social Security numbers, and driver’s license numbers.
Goshen Health reported the breach to the HHS’ Office for Civil Rights on September 30, 2019. The provider also sent notification letters to the patients affected by the breach on the same day. People who had their Social Security number or driver’s license number exposed received one year of free credit monitoring and identity theft protection services.
The employees also received additional training on email security and phishing awareness.