Methodist Hospitals based in Indiana experienced a phishing attack that affected 68,039. Phishing attacks occur when hackers send an email disguising themselves as trusted entities, often prompting recipients to click on a malicious link. The healthcare breach allowed access to the email accounts of two Hospital employees from March 13 to July 8.
In response to the breach Methodist Hospitals recommended that patients monitor their credit reports and account statements, “We take this incident and the security of personal information in our care very seriously. Upon learning of this incident, we moved quickly to conduct an investigation, which included working with third-party forensic investigators, to confirm the nature and scope of the event. Additionally, while we have security measures in place to protect data in our systems, we are reviewing our existing policies and procedures and implementing additional safeguards to further protect information.”
Although there was no evidence that protected health information (PHI) was accessed in the healthcare breach information in the email accounts included patient names, addresses, Social Security numbers, payment care information, medical record numbers, treatment information, health insurance information, group identification numbers, and financial account numbers.Â
Healthcare Breaches are a Growing Threat
Healthcare breaches are occurring at an alarming rate, with more than 1.9 million patients affected by healthcare breaches in September alone, healthcare organizations must be vigilant in their efforts to secure PHI. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities (CEs) and their business associates (BAs) to protect PHI with administrative, physical, and technical safeguards.
- Technical: are cybersecurity measures that are put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.
- Physical: refers to the security of an organization’s physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
- Administrative: are written policies and procedures that must be customized to apply to an organization’s business processes. All employees must be trained on an organization’s policies and procedures.
Not only is it required by HIPAA to implement HIPAA safeguards, they will also limit the risk of experiencing a healthcare breach.Â