[BreachExchange] Methodist Hospitals in Gary, Merrillville hit with possible data breach

[Destry Winant]

https://www.chicagotribune.com/suburbs/post-tribune/ct-ptb-area-hospital-hit-with-possible-data-breach-st-1017-20191016-n2maqtkzc5hbdoqmytrmsp34pm-story.html

Methodist Hospitals — with two campuses in Gary and one in
Merrillville — is warning patients of a potential data breach after
suspicious email activity was discovered in an employee’s account in
June.

In August, investigators found that two Methodist employees “fell
victim to an email phishing scheme that allowed an unauthorized actor
to gain access to their email accounts," according to a release.

Email phishing schemes often lure a person into sending or allowing
access to sensitive information by posing as a legitimate company or
entity.

One account was subject to unauthorized access on June 12 and from
July 1 to July 8, 2019, while the other was accessed between March 13
and June 12, 2019.

“While we have no evidence of actual or attempted misuse of any
information present in the email accounts, we could not rule out the
possibility of access to data present in the accounts,” the Methodist
Hospitals release states.

The potential accessed data includes names, addresses, health
insurance information, Social Security numbers, state ID and passport
numbers, financial account numbers, electronic signatures, usernames
and passwords, dates of birth, medical records and Medicare or
Medicaid information.

The release states the hospital is working with third-party forensic
investigators and state and federal regulators to fix the situation,
as well as “reviewing our existing policies and procedures and
implementing additional safeguards to further protect information.”

A spokeswoman declined to name what state and federal authorities the
hospital is working with.

According to its latest annual report, Methodist Hospitals had more
than 195,000 patient encounters in 2018 for every type of patient
service, including outpatient, inpatient and emergency services.

The hospital has more than 2,500 employees, with almost 400 active
physicians, according to its website.

Next steps include sending mailed notifications to people potentially
affected by the breach, according to the release.

Those with ties to the hospital are encouraged to monitor their
accounts for suspicious activity. A call center has been set up at
855-913-0610.