Phishing Attack on Methodist Hospitals Impacts 68,000 Patients

In June 2019, Methodist Hospitals in Gary, Indiana found out that an unauthorized person accessed the email account of an employee after noticing suspicious activity in the said email account.

Third-party computer forensics experts investigated the incident immediately to figure out the magnitude of the breach and if the attacker accessed or copied any patient data. The investigation confirmed the compromise of two email accounts because the employees responded to phishing emails they received.

The forensic investigators were able to determine on August 7, 2019 that a breach indeed happened and there was a compromise of patient data. An unauthorized person accessed one email account from March 13, 2019 to June 12, 2019. There was unauthorized access of another email account on June 12, 2019 and on July 1 until July 8, 2019.

Just like in most forensic investigations, it was not determined for sure if patient data held in email messages and email attachments was accessed or copied by the attacker. Still, the possibility can’t be ruled out. When Methodist Hospitals issued breach notification letters to patients in October, there was no report received that suggest the misuse of patient data.

The types of data potentially exposed in the phishing attacks differed from one patient to another. Besides patient names, the information likely compromised include address, birth date, Social Security number, state ID number, driver’s license number, passport number, medical record number, HAR number, CSN number, Medicare number, Medicaid number, diagnosis data, treatment details, medical insurance subscriber, group identification number, group, and/or plan number, bank account number, payment card data, username password and electronic signature.

Methodist Hospitals conducted a review of its policies and procedures and shall implement further safety measures to strengthen its defenses against phishing attacks.

The hospital instructed the affected persons to keep an eye on their account statements and explanation of benefit statements for any fraudulent transaction. Methodist Hospitals posted a substitute breach notification on its website but there was no mention of offering free credit monitoring and identity theft protection services to people affected by the breach.

As per the breach report sent to the Department of Health and Human Services’ Office for Civil Rights, the breach impacted 68,039 patients.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone