Gary, Ind.-based Methodist Hospitals is notifying 68,039 patients that their protected health information may have been exposed in a data breach.
The health systems discovered unusual activity in an employee's email account in June. Upon investigation, Methodist Hospitals determined that two employees fell victim to a phishing attack. Collectively, the unauthorized third-party had access to the email accounts between March 13 and July 8.
Methodist Hospitals said there is no evidence that any patient information has been misused.
Patient data stored on the email accounts included names, addresses, health insurance information, group identification numbers, Social Security numbers, financial account numbers, payment care information, medical record numbers and treatment information.
The health system is recommending patients review account statements and explanation of benefits forms as well as monitor credit reports for any suspicious activity.
"We take this incident and the security of personal information in our care very seriously. Upon learning of this incident, we moved quickly to conduct an investigation, which included working with third-party forensic investigators, to confirm the nature and scope of the event. Additionally, while we have security measures in place to protect data in our systems, we are reviewing our existing policies and procedures and implementing additional safeguards to further protect information," Methodist Hospitals said in a statement.