Methodist Hospitals discovered two employee email accounts that have been exposing patient-related data
In June 2019, the Methodist Hospitals launched an investigation due to questionable activity spotted in an employee's email account. Later on, on the 7th of August, two employees pleaded guilty to getting involved in an email phishing activity that enabled remote access to the healthcare system's email accounts.
According to the investigation, one email account was entered on the 12 of June and during the time between July 1 and July 8, while the other employee's email account got accessed during the time of March 13 and June 12.
Since 2018, Methodist Hospitals have collected almost 200,000 patients and around 2,500 employees. Due to illegitimate activities of two employees, 68,039 people might have been involved in a data breach scheme.
Even though the company does not hold any evidence of the information being misused, they are still trying to investigate what type of data might have been exposed:
While we have no evidence of actual or attempted misuse of any information present in the email accounts, we could not rule out the possibility of access to data present in the accounts. In an abundance of caution, we undertook a comprehensive review of the data present in the accounts to confirm what records may be present.
The data breach included various personally-identifiable and credential data
According to the official report, the data breach might have involved different information for each user regarding what type of data was kept on the accessed email accounts. However, combined altogether, the breached details may include names/surnames, residence addresses, birthdates, group/plan numbers, SSNs, driver license codes, passport numbers, banking account numbers, credentials, electronic signatures, medical information, etc.
The company states to have taken this incident very seriously and has employed investigators to take a close look at this data breach activity. In addition, the Methodist Hospitals claim to be reviewing older safety services and inserting additional security measures regarding private data protection. They also have reported this recent incident to federal regulators:
Additionally, while we have security measures in place to protect data in our systems, we are reviewing our existing policies and procedures and implementing additional safeguards to further protect information. We are also reporting this incident to relevant state and federal regulators.
Methodist Hospitals are not the only ones to experience a data breach recently
Methodist Hospitals state that they have checked whose private information might have been involved in the data breach and have been writing these people individually via email. In addition, the company has described all necessary security steps against private data protection in the same emails that are sent to potential victims. Besides, users can learn more about account monitoring in the “Steps You Can Take to Protect Your Information” guide.
Another recent data breach affected the primary health organization from New Zealand, known as Tū Ora Compass Health. Once the bogus activity was discovered, the company was forced to disable some of its servers although they were not capable of securing their clients' data. This data leak incident might have led to the exposure of around 1 million users' information such as names, birthdates, National Health Index Numbers, residence addresses.