Louisville, KY based Baptist Health has contacted 880 patients that some of their protected health information may have been obtained by by hackers.
The PHI violation was found on October 3, 2017, when irregular activity was discovered on the email account of an employee. Baptist Health was able to determine that a third party sent a phishing email to the member of staff, who replied and disclosed login credentials allowing the email account to be compromised.
Those login details were then used by an unknown individual to gain access the email account. The email account contained the protected health information of 880 patients, although it is not clear if any of the emails were seen. The motive behind the cyberattack may not have been to gain access to sensitive data.
What is clear, is access was used to broadcast further phishing emails to other email accounts. Following the finding the breach, Baptist Health responded quickly to restrict the potential for harm and disabled the affected email accounts and carried out a password reset to stop further unauthorized access.
Due to the steps taken by the hacker once access to the account was obtained, Baptist Health does not believe any information included in the emails has been used improperly.
An audit of all emails in the account showed the types of information possibly compromised included names, medical record numbers, dates of birth, clinical history, and treatment information. A small number of Social Security numbers were also exposed.
Since PHI access and misuse cannot be ruled out with any certainty, all 880 patients affected by the breach have been alerted and patients whose Social Security numbers were exposed have been offered free credit monitoring and identity theft protection services for one year.
Employees have also received extra training in relation to phishing emails, and the login process for remote access has been enhanced to stop similar breaches from happening in the future.