9,160 Goshen Health Patients Affected by Phishing-Related Email Breach

9,160 patients from Goshen Health in Indiana received notification about its phishing-related email breach in August 2018 that could have resulted in the potential exposure of their protected health information (PHI).

Goshen Health took steps to secure the compromised email accounts upon discovery of the breach and immediately had the incident investigated. Initially, it was thought that there is no need for the issuance of patient notification since the security breach did not compromise any PHI. However, it was discovered on August 1, 2019 that the compromised email accounts contained a few patients’ PHI. Hence, notification letters were sent to the patients.

The breach transpired between August 2, 2018 and August 13, 2018. The email accounts of two Goshen colleagues were accessed by an unknown, unauthorized person. Because of the incident, Goshen Health enhanced its email security protection and employed additional forensic resources and technology to have the breach re-evaluated.

Third-party forensics experts re-evaluated the breach in November 2018. However, there was no evidence found that would confirm the unauthorized PHI access or theft. The assessment involved a thorough analysis of the accessed email accounts to learn if there was any sensitive patient data. For almost a year until the day when the breach of email account first happened, they identified the accounts to have the PHI of some patients.

The following is a list of the PHI potentially exposed during the attack: names, dates of birth, location, driver’s license numbers, Social Security numbers, healthcare insurance details, names of doctors and certain clinical information.

On September 30, 2019, Goshen Health submitted the breach report to the HHS’ Office for Civil Rights. The provider additionally issued notification letters to the affected patients right away. Persons who had their Social Security number or driver’s license number exposed, got free credit monitoring and identity theft protection services for 12 months.

The employees furthermore received underwent email security and phishing awareness training.