Baptist Health Louisville Phishing Attack Sees 880 Patients Potentially Exposed

by | Dec 12, 2017

Louisville, KY based Baptist Health has contacted 880 patients that some of their protected health information may have been obtained by by hackers.

The PHI violation was found on October 3, 2017, when irregular activity was discovered on the email account of an employee. Baptist Health was able to determine that a third party sent a phishing email to the member of staff, who replied and disclosed login credentials allowing the email account to be compromised.

Those login details were then used by an unknown individual to gain access the email account. The email account contained the protected health information of 880 patients, although it is not clear if any of the emails were seen. The motive behind the cyberattack may not have been to gain access to sensitive data.

What is clear, is access was used to broadcast further phishing emails to other email accounts. Following the finding the breach, Baptist Health responded quickly to restrict the potential for harm and disabled the affected email accounts and carried out a password reset to stop further unauthorized access.

Due to the steps taken by the hacker once access to the account was obtained, Baptist Health does not believe any information included in the emails has been used improperly.

An audit of all emails in the account showed the types of information possibly compromised included names, medical record numbers, dates of birth, clinical history, and treatment information. A small number of Social Security numbers were also exposed.

Since PHI access and misuse cannot be ruled out with any certainty, all 880 patients affected by the breach have been alerted and patients whose Social Security numbers were exposed have been offered free credit monitoring and identity theft protection services for one year.

Employees have also received extra training in relation to phishing emails, and the login process for remote access has been enhanced to stop similar breaches from happening in the future.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy