The Methodist Hospitals, Inc. revealed that a phishing attack potentially affected the information of approximately 68,000 patients.

According to its Notice of Data Incident, the non-profit healthcare system located in Gary, Indiana detected unusual activity involving an employee’s email account back in June 2019. The Methodist Hospitals (‘Methodist’) responded by launching an investigation into what happened. On August 7, 2019, this effort revealed that two Methodist employees fell victim to a phishing email. Bad actors accessed one of the accounts on June 12, 2019 as well as between July 1 and July 8, 2019, while they maintained access to the other account between March 13 and June 12, 2019.

Methodist’s statement revealed that the email accounts contained 68,039 patients’ personal and medical information at the time of compromise. This data included names, medical record numbers, Social Security Numbers and medical treatment/diagnosis details.

The healthcare system found no indication that anyone had actually accessed or misused that information, per its data incident notice. Even so, it decided to begin notifying potentially affected individuals out of an abundance of caution. It also formulated its own internal response to the phishing attack.

As the Methodist Hospitals noted in its letter:

Upon learning of this incident, we moved quickly to conduct an investigation, which included working with third-party forensic investigators…. Additionally, while we have security measures in place to protect data in our systems, we are reviewing our existing policies and procedures and implementing additional safeguards to further protect information. We are also reporting this incident to relevant state and federal regulators.

Individuals whose information might have been exposed in the phishing attack should review their credit reports for suspicious activity and consider placing either a fraud alert or security freeze on their credit files. They should also take steps to defend themselves (Read more...)