Cyber Incident Victim: Baptist Health Louisville

On October 3, 2017, Baptist Health Louisville discovered that an employee’s email account credentials had been compromised by an unauthorized third party the previous day (October 2). The compromised credentials were used to send phishing emails to other accounts within the organization. Upon detection, Baptist Health promptly disabled the affected email accounts, reset account passwords, and initiated an internal investigation. The investigation could not conclusively determine whether the unauthorized actor had accessed or viewed the contents of the compromised email accounts. A subsequent review of the employee’s email correspondence confirmed the presence of protected health information, including patient names, dates of birth, medical record numbers, treatment details, and clinical information. A subset of records also contained Social Security numbers. The breach was reported to the U.S. Department of Health and Human Services, reflecting its status as a HIPAA-covered incident involving unauthorized access to sensitive data.

Baptist Health began mailing notification letters to 880 affected patients on November 21, 2017, approximately seven weeks after the breach discovery. The organization established a dedicated call center to address patient inquiries and provided one year of complimentary credit monitoring and identity protection services to individuals whose Social Security numbers were potentially exposed. While Baptist Health stated no evidence indicated misuse of patient information, it implemented corrective measures including enhanced staff training on phishing email recognition and strengthened authentication protocols for remote email access. The incident underscored risks associated with credential compromise via phishing and prompted organizational adjustments to reduce vulnerability to similar attacks.