Sometimes, an incident that doesn’t appear to require notification may require notification under HIPAA. In an August, 2018 incident reported on The Elkhart Truth that involved Goshen Health, the health system originally determined that no notification was required, but when forensic investigators came in months later and looked for any information that might have been accessible, the entity learned that there was a possibility. And so more than a year after their first discovery of the incident, Goshen Health first notified potentially affected patients.
The release from Goshen appears below. The number of patients being notified was not disclosed, but this incident may show up on HHS’s public breach tool at some point.
Goshen Health (“Goshen”) announced today that it is addressing a security incident that involved the personal information of some of its patients. Goshen has launched an internal investigation, notified individuals who may have been impacted and implemented additional security measures to prevent future occurrences.
An unauthorized third party may have potentially accessed two Goshen Colleagues’ email accounts from approximately August 2, 2018 to August 13, 2018. At that time, however, it did not appear that notification to any patients was required. As Goshen continued to enhance its email security, it employed additional forensic tools and technology and retained outside forensic experts in November 2018 to re-evaluate the incident. There was no indication that any personal information was actually viewed or acquired by the unauthorized party. Nevertheless, as part of its investigation, an intensive search occurred for any personal information in the email accounts that could have been viewed.
On September 30, 2019, Goshen began sending written notifications to all potentially impacted individuals for whom it has contact information, and arranged for complimentary identity theft protection services for those individuals whose Social Security numbers and/or driver’s license numbers were involved in the incident.
Affected individuals should refer to the notice they will receive in the mail regarding steps they can take to protect themselves. As a precautionary measure, impacted individuals should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely. If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company with which the account is maintained. They should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and their state’s attorney general.
Affected individuals may also wish to review the tips provided by the Federal Trade Commission (“FTC”) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft. For more information and to contact the FTC, please visit www.ftc.gov/idtheft or call 1-877-ID-THEFT (1-877-438-4338). Affected individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Upon learning of the incident, Goshen promptly launched an internal investigation and changed the passwords for the two email accounts at issue. A leading forensic security firm was retained to assist in the investigation and to provide further training and assistance to all staff related to phishing email security awareness.
Goshen officials apologize for any inconvenience or concern this incident might cause, emphasizing that the security of personal information and patient information systems are taken very seriously. Additional information is available at https://www.goshenhealth.com or via a confidential, toll-free inquiry line at 1-888-470-4111 between 8:00 a.m. and 5:00 p.m., Eastern Time, Monday through Friday.
Dated: September 30, 2019