Community-based healthcare system Methodist Hospitals from Gary, Indiana, disclosed that sensitive personal and medical information for 68,039 individuals may have been exposed following a successful phishing attack against two of its employees.
Methodist provides surgical and medical hospital services, it employs 2,576 individuals, and it reported a total number of 195,055 patient encounters during 2018 according to last year's annual report.
"In June 2019, Methodist learned of unusual activity in an employee’s email account. We immediately commenced an investigation, working with third-party forensic investigators, to assess the nature and scope of the email account activity," says the notice of data incident.
"On August 7, 2019, the forensic investigation determined that two (2) Methodist employees fell victim to an email phishing scheme that allowed an unauthorized actor to gain access to their email accounts."
SSNs and payment card data potentially exposed
The following investigation led to the discovery that the first employee's account was accessed on June 12 and from July 1 to July 8, 2019, while the data included within the second one was exposed between March 13 to June 12, 2019.
"While Methodist has no evidence of actual or attempted misuse of any information present in the email accounts, the investigation could not rule out the possibility of access to data present in the accounts," adds the healthcare system.
Methodist also discovered as part of the same investigation that, while the personal and medical information exposed for each individual varies, the two email accounts included the following patient info:
Methodist began sending notifications to all the individuals that might have had their information exposed following this security incident and also reported the incident to state and federal regulators such as the U.S. Department of Health and Human Services.
Individuals who have received a data incident alert from Methodist are also urged to "to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor credit reports and explanation of benefits forms for suspicious activity."
Failed BEC scam leads to data exposure
In related news, UAB Medicine also reported a data exposure incident following another phishing attack that targeted the medical center's payroll department and allowed the attackers to gain access to employee emails containing health information for 19,557 patients.
According to UAB Medicine, the crooks tried to redirect some of its employees' payments to bank accounts under the attacker's control.
However, although that attempt failed, they were still able to gain access to patient info including names, birth dates, diagnosis and treatment information, and, in some cases, to social security numbers.
UAB Medicine also notified the impacted individuals and advised them to monitor their insurance statements and credit reports for fraudulent or suspicious activity.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now