Phishing Attack at Baptist Health Louisville Potentially Impacted 880 Patients


A security breach at Baptist Health in Louisville, Kentucky was discovered on October 3, 2017. Potentially 880 patients had been notified that their sensitive information may have been accessed and stolen by unauthorized persons. According to the report, there was irregular activity detected in an employee’s email account. Prior to that, a third party sent a phishing email to the employee who got tricked to disclose his login details.

The unknown individual used the employee’s login credentials to access the email account. Although the account holds the protected health information of 880 patients, it is not certain if the information were actually viewed. It is believed that the motive behind the phishing attack is not to steal sensitive information. The seeming motive is to send more phishing emails to other email accounts.

Baptist Health quickly took action to limit the harm that the hacker can do using the email accounts. A password reset of the email accounts was conducted to disable unauthorized login. Since the attack, no information has been received regarding the misuse of patients’ information.

Upon review of all the email accounts, potentially compromised information included the patients’ names, dates of birth, medical record numbers, clinical information and treatment details. Some had their Social Security numbers recorded as well. Since it’s not 100% sure that PHI access and misuse will not happen, Baptist Health notified the 880 patients regarding the breach. The healthcare provider also offered one year free credit monitoring and identity theft protection services to those whose Social Security numbers were exposed.

Aside from notifying the patients, Baptist Health also gave additional training to their staff on how to identify and handle phishing emails. Also, the security of remote email access has been strengthened to prevent breaches of similar nature from happening again.