Methodist Hospitals in Gary, Merrillville hit with possible data breach - October 17, 2019

Courtesy of Chicago Tribune • Oct 17, 2019

By Grant Morgan

Methodist Hospitals — with two campuses in Gary and one in Merrillville — is warning patients of a potential data breach after suspicious email activity was discovered in an employee’s account in June.
In August, investigators found that two Methodist employees “fell victim to an email phishing scheme that allowed an unauthorized actor to gain access to their email accounts,” according to a release.

Email phishing schemes often lure a person into sending or allowing access to sensitive information by posing as a legitimate company or entity.
One account was subject to unauthorized access on June 12 and from July 1 to July 8, 2019, while the other was accessed between March 13 and June 12, 2019.

“While we have no evidence of actual or attempted misuse of any information present in the email accounts, we could not rule out the possibility of access to data present in the accounts,” the Methodist Hospitals release states.

The potential accessed data includes names, addresses, health insurance information, Social Security numbers, state ID and passport numbers, financial account numbers, electronic signatures, usernames and passwords, dates of birth, medical records and Medicare or Medicaid information.

The release states the hospital is working with third-party forensic investigators and state and federal regulators to fix the situation, as well as “reviewing our existing policies and procedures and implementing additional safeguards to further protect information.”

A spokeswoman declined to name what state and federal authorities the hospital is working with.

According to its latest annual report, Methodist Hospitals had more than 195,000 patient encounters in 2018 for every type of patient service, including outpatient, inpatient and emergency services.

The hospital has more than 2,500 employees, with almost 400 active physicians, according to its website.

Next steps include sending mailed notifications to people potentially affected by the breach, according to the release.

Those with ties to the hospital are encouraged to monitor their accounts for suspicious activity. A call center has been set up at 855-913-0610.