Phishing attack against Methodist Hospitals may have exposed the medical, personal, and financial data of 68,000 patients

The personally identifiable information (PII) of more than 68,000 US healthcare patients may have been exposed as the result of a phishing attack against Methodist Hospitals.

The organization, which operates hospitals and healthcare facilities across northwest Indiana, said phishing emails that hoodwinked at least two of its employees may have exposed a wide variety of sensitive information.

One account was compromised between March 13 and June 12, 2019, while the other was breached over two periods between June and early July.

Methodist Hospitals brought in incident response experts after first realizing something was amiss back in June.

“The forensic investigation determined that two Methodist employees fell victim to an email phishing scheme that allowed an unauthorized actor to gain access to their email accounts,” the healthcare provider explained in a statement.

“While Methodist has no evidence of actual or attempted misuse of any information present in the email accounts, the investigation could not rule out the possibility of access to data present in the accounts.”

Notifying individuals

Data passing through the compromised accounts included a wide variety of sensitive information that leaves targets open to identity theft, or worse.

This data included names, addresses, health insurance subscriber numbers, Social Security numbers, driver's license/state identification number, passport number, bank account numbers, payment card information, and dates of birth.

Medical record numbers, as well as medical treatment and diagnosis information, might also be at risk.

To cap it all, username and passwords might also have been exposed – a finding that suggests that the medical organization’s password security policies ought to have been better.

Methodist Hospitals said it has improved the security of its email environment since the incident.

The medical care provider has begun the process of notifying affected individuals, advising them to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor credit reports.

Methodist has reported its breach to relevant state and federal regulators, as required by US law under the Health Insurance Portability and Accountability Act (HIPAA).

The US Department of Health and Human Services has publicly logged the case as under investigation and confirmed the scope of the breach, with 68,039 individuals potentially affected.


YOU MIGHT ALSO LIKE US healthcare provider Premier Family Medical hit by ransomware attack