Cyber Incident Victim: Goshen Health

On or around August 2, 2018, Goshen Health detected unauthorized access to two employee email accounts, with the intrusion period lasting until August 13, 2018. Initial assessments concluded no patient data compromise occurred, leading the organization to determine HIPAA breach notification was unnecessary at that time. The health system responded by resetting account passwords and initiating internal investigations. Three months later in November 2018, Goshen engaged external forensic specialists and deployed enhanced email security tools to conduct a comprehensive re-examination of the incident. This secondary investigation involved meticulous analysis of email account contents to identify any protected health information potentially accessible during the breach window.

Nearly one year after the initial intrusion, on August 1, 2019, forensic analysis revealed the compromised accounts contained patient information that could have been exposed. The data types varied per individual but potentially included names, addresses, dates of birth, physician names, health insurance details, limited clinical information, Social Security numbers, and driver's license numbers. Goshen delayed patient notifications until September 30, 2019—over 13 months post-incident—to allow completion of forensic reviews and contact information verification. The organization offered complimentary identity theft protection services specifically to individuals whose Social Security numbers or driver's license numbers were involved. Response measures included expanded phishing awareness training for staff, implementation of additional email security controls, and establishment of a dedicated toll-free inquiry line. Goshen directed affected patients to review account statements, credit reports, and FTC identity theft resources while emphasizing there was no evidence of actual data access or exfiltration by the unauthorized party.