Episcopal Health Services

Episcopal Health Services, operating under the alias EHS and headquartered in the United States, is the entity associated with a significant data security incident discovered in August 2018. The organization experienced unauthorized access to multiple employee email accounts over a period of several weeks. This breach compromised a wide array of sensitive information, including protected health information such as medical histories and treatment details, alongside personal identifying information like Social Security numbers, dates of birth, financial account data, and health insurance information. The specific data exposed varied among individuals affected by the incident.

Upon detecting suspicious activity, Episcopal Health Services initiated an investigation with the assistance of a third-party forensic firm. As a remedial measure, the organization reset all email credentials and implemented enhanced security controls to prevent recurrence. The forensic review was an extended process, during which additional affected individuals and duplicate address records were identified, necessitating multiple phases of notification. While no actual misuse of the compromised data was confirmed, the organization notified all potentially impacted individuals and relevant regulators. As a precautionary step, Episcopal Health Services offered twelve months of complimentary credit monitoring and identity theft protection services to those affected. The organization also established a dedicated call center to handle inquiries and provided guidance on fraud alerts and credit freezes. This event underscores the vulnerability of email systems to prolonged, unauthorized access and the complex, multi-stage response required when such an incident involves mixed personal and health data.