68,000 Patients of Methodist Hospitals Impacted by Phishing Attack

In June 2019, Gary, Indiana-based Methodist Hospitals discovered an unauthorized individual had gained access to the email account of one of its employees following the detection of suspicious activity in the employee’s email account.

An investigation was immediately launched and third-party computer forensics experts were called in to determine the extent of the breach and whether any patient information had been accessed or copied by the attacker. The investigation revealed two email accounts had been compromised as a result of employees responding to phishing emails.

It took until August 7, 2019 for the forensic investigators to determine that a breach had occurred and patient information had been compromised. One of the compromised email accounts was discovered to have been accessed by an unauthorized individual from March 13, 2019 to June 12, 2019, and the second account was subjected to unauthorized access on June 12, 2019 and from July 1 to July 8.

As is typical in forensic investigations, it was not possible to determine whether the attacker viewed or copied patient information contained in emails and email attachments, but it was also not possible to rule out the possibility. At the time of issuing breach notification letters in October, no reports had been received to suggest patient information had been misused.

The types of information potentially compromised in the phishing attacks varied from patient to patient. In addition to patient names, the following information may have been compromised: Address, date of birth, Social Security number, driver’s license number, state ID number, passport number, medical record number, CSN number, HAR number, Medicare number, Medicaid number, diagnosis information, treatment information, health insurance subscriber, group, and/or plan number, group identification number, financial account number, payment card information, electronic signature, username and password.

Methodist Hospitals is reviewing its policies and procedures and will be implementing additional safeguards to improve defenses against phishing attacks in the future.

Affected individual have been advised to monitor their account statements and explanation of benefit statements for signs of fraudulent activity. The substitute breach notification letter on the Methodist Hospitals website makes no mention of credit monitoring and identity theft protection services for breach victims.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 68,039 patients have been affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.