Indiana Health System Breach Potentially Impacted More Than 68K Patients – Expert Commentary

By   ISBuzz Team
Writer , Information Security Buzz | Oct 10, 2019 04:38 am PST

Indiana-based Methodist Hospitals is currently notifying 68,039 patients that their protected health information may have been exposed in a data breach. The patient data that was potentially compromised includes the following:

  • Names
  • Addresses
  • Health insurance information
  • Group identification numbers
  • Social Security numbers
  • Financial account numbers
  • Payment care information
  • Medical record numbers and treatment information

In June, the health systems saw unusual activity in an employee’s email account prompting investigation. Methodist Hospitals determined that two employees fell victim to a phishing attack. Collectively, the unauthorized third-party had access to the email accounts between March 13 and July 8. Methodist Hospitals said there is no evidence that any patient information has been misused.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Elad Shapira
Elad Shapira , Head of Research
October 10, 2019 7:22 pm

These latest cyberattacks illustrate how valuable medical information has become. Exposed healthcare data can be damaging to companies as well as to individuals. For this reason, employees are sometimes targeted because of what they can access from a particular organization that can be exploited by hackers. This is why, when measuring the cybersecurity posture of third parties, one needs to consider not only the technical aspect that is usually provided by vulnerability assessment tools, but also the human factor, which contributes to the overall resilience of an enterprise.

Last edited 4 years ago by Elad Shapira
Peter Goldstein
Peter Goldstein , CTO and Co-founder
October 10, 2019 12:40 pm

Phishing attacks continue to be a leading cause of data breaches, as shown with the recent breach targeting Indiana-based Methodist Hospitals. In fact, spear-phishing plays a role in at least 90 percent of all cyberattacks and is a highly effective tactic leveraged by cybercriminals. Because medical records contain an abundance of personal information, including Social Security numbers, addresses, payment information, and insurance information, they are highly valuable on the dark web, allowing cybercriminals to commit insurance fraud, account takeover and identity theft.

Many organizations invest in employee email security training to prevent these kinds of attacks. However, the pressure to identify fraudulent emails should not solely be on the employees, as modern phishing attacks are extremely hard to identify due to convincing impersonation techniques (used in over 80 percent of all spear phishing messages) and sophisticated social engineering. This incident demonstrates how healthcare organizations and other companies need email security systems that validate and authenticate sender identity before an email reaches an employee inbox.

Last edited 4 years ago by Peter Goldstein

Recent Posts

Would love your thoughts, please comment.x