Cyber Incident Victim: UofL Health

On or around June 1, 2023, UofL Health received an alert from its external security vendor indicating it may have been one of the thousands of organizations affected by a vulnerability in the third-party file transfer software known as MOVEit. This alert was prompted by the widespread exploitation of a previously unknown security vulnerability in Progress Software’s MOVEit Transfer tool by the Clop ransomware gang. The criminal group had initiated mass data raids targeting corporate customers of the software, claiming responsibility for the attacks and listing victims on its dark web leak site. UofL Health was subsequently listed on this site, confirming it had been targeted by the hackers. The incident was not the result of a breach of UofL Health’s own internal systems but was instead tied exclusively to the use of the vulnerable third-party software.

Upon receiving the initial alert, UofL Health immediately took action to investigate the potential impact. The organization promptly engaged a forensic investigator to determine the effects of the third-party vulnerability on UofL Health and its patients. The investigation was launched to ascertain whether any unauthorized access had occurred and to define the scope of any potential data exposure. It was confirmed that only a small number of UofL Health medical practices employed the MOVEit software, and its use was limited to securely transferring patient information files to third-party vendors. The UofL Health internal network and its electronic medical records databases were not compromised in the incident, and there was no impact on the security or normal operations of UofL Health's hospitals, medical centers, and physician offices.

The forensic investigation concluded on June 21, 2023, revealing that the MOVEit vulnerability had indeed allowed an unauthorized third party to access certain files that were being transferred using the software. The investigation determined that some of these accessed files contained protected health information pertaining to a small percentage of UofL Health patients. The types of information that may have been exposed included patients' names, dates of service, dates of birth, patient account numbers, member ID numbers, Social Security numbers, and addresses. The forensic review found no evidence to suggest that the accessed data had been further compromised or misused following the initial intrusion.

In response to the findings, UofL Health began a process of notifying the patients whose information was identified in the files involved in the incident. On August 18, 2023, the organization announced it was mailing individual letters to these affected patients. The notification letters detailed the nature of the incident and the specific types of personal information that were potentially exposed. To support affected individuals, UofL Health established a dedicated, toll-free call center to answer patient questions. This call center was made available Monday through Friday, between 9 a.m. and 9 p.m., Eastern Time. For those patients whose sensitive information, particularly Social Security numbers, was involved, UofL Health offered complimentary credit monitoring and identity theft protection services.

The organizational response included working with relevant authorities and implementing additional measures to enhance data security. UofL Health stated that its existing policies and procedures allowed it to quickly address the vulnerability disclosed by the vendor and minimize the impact to patients. In the wake of the incident, the health system continued to implement additional technological and administrative safeguards designed to protect personal information. This included a comprehensive review of protocols and security measures related to the use of third-party vendors and software tools to prevent similar future incidents. The public announcement and patient notification were part of a broader effort to maintain transparency regarding the privacy incident.

The incident was part of a much larger global cyberattack campaign. The Clop ransomware gang exploited the MOVEit vulnerability to claim hundreds of victim organizations, impacting millions of individuals worldwide. Other victims included major banks, hotel chains, universities, and other healthcare entities. UofL Health's experience was consistent with the pattern of this attack, where the compromise was not of its own infrastructure but of a third-party tool used for secure file transfers. The scope of the incident at UofL Health was limited to the data contained within the files being transferred via the MOVEit platform during the period of vulnerability, and the organization emphasized that its core medical operations and patient care systems remained secure and unaffected throughout the event.