Cyber Incident Victim: Methodist Hospitals
Date:
Jun 2019
Location:
United States of America
Summary
A healthcare system experienced a phishing attack compromising two employee email accounts, potentially exposing sensitive data of approximately 68,000 patients. The unauthorized access spanned multiple months, with personal and medical information at risk including names, Social Security numbers, payment card details, insurance identifiers, driver’s license numbers, medical records, and treatment histories. While no confirmed misuse occurred, the investigation could not eliminate potential data access. The organization notified affected individuals and reported the incident to state and federal regulators, urging vigilance against identity theft. A separate but similar phishing incident at another medical center targeted payroll data and exposed patient health information, though fraudulent payment diversion attempts failed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2019, Methodist Hospitals, a community-based healthcare system in Gary, Indiana, detected unusual activity in an employee's email account, prompting an immediate investigation with third-party forensic experts. The investigation, concluded on August 7, 2019, determined that two employees had fallen victim to a phishing scheme, enabling unauthorized access to their email accounts. The first account was compromised on June 12 and again from July 1 to July 8, 2019, while the second account was accessed between March 13 and June 12, 2019. While no evidence confirmed actual misuse of the exposed data, investigators could not rule out potential access to information within the accounts. The breach potentially affected 68,039 individuals, with Methodist Hospitals employing 2,576 staff and reporting 195,055 patient encounters in 2018. The organization initiated notifications to potentially impacted individuals and reported the incident to state and federal regulators, including the U.S. Department of Health and Human Services.
The compromised email accounts contained varied combinations of sensitive personal and medical data, including names, addresses, health insurance details, Social Security numbers, driver’s license or state identification numbers, passport numbers, financial account information, payment card data, electronic signatures, usernames and passwords, dates of birth, medical record numbers, CSN numbers, HAR numbers, Medicare/Medicaid identifiers, and medical treatment or diagnosis information. Methodist Hospitals advised affected individuals to monitor account statements, credit reports, and explanation of benefits forms for suspicious activity, emphasizing vigilance against identity theft and fraud. The healthcare system reiterated that the forensic investigation found no proof of data misuse but acknowledged the inherent risks of exposure. This incident highlighted operational vulnerabilities to phishing attacks despite the absence of confirmed malicious exploitation of the accessed data.