PHI of 9,160 Goshen Health patients possibly impacted in August 2018 email breach

Indiana-based Goshen Health has started informing 9,160 patients that a few of their PHI (Protected Health Information) might have been compromised, in Aug. 2018, in phishing-related email breach.

Upon learning about the incident, the email accounts that were compromised have been secured and an internal investigation was promptly launched by Goshen. It was found that an unauthorized, unidentified third-party might have possibly accessed email accounts of 2 Goshen colleagues. The breach has occurred between Aug. 2, 2018, and Aug. 13, 2018. However, at that time, it didn't appear that notification was required for any patients as the Protected Health Information didn't look like being compromised.

After the email breach, Goshen Health has enhanced their email security protections as well as also used more forensic tools and technology for re-evaluating the breach.

In Nov. 2018, third-party forensics experts have been retained for reassessing the incident; however no evidence of PHI theft or unauthorized PHI access was found. Part of the assessment involved detailed search of the email accounts that were compromised, in order to determine whether those email accounts contain any type of sensitive patient information. However, on Aug. 1, 2019, Goshen learned that those compromised email accounts contain Protected Health Information of some patients and so the notification letters were required.

The information type varies individual to individual, but might have included the individual's name, date of birth, addresses, health insurance information, limited clinical information, physician name, driver's license number and Social Security number. The individuals whose driver's license number or Social Security number have been exposed were offered 1 year of complimentary identity theft protection and credit monitoring services.

On Sep. 30, 2019, Goshen Health starts sending the written notifications to all possibly affected individuals for whom they have the contact information. The breach was also reported to HHS' Office for Civil Rights on Sep. 30, 2019.

Additional training related to the email security as well as phishing awareness has been provided to the staff members now.

Goshen officials have apologized for any concern or inconvenience this incident might have caused, emphasizing that security of patient information and personal information were taken very seriously.

» SPAMfighter News - 10/22/2019