Cyber Incident Victim: Kaleida Health

In July and August 2017, Kaleida Health, the largest healthcare provider in western New York, experienced two separate phishing incidents that compromised patient information. During the first incident in July, an employee fell victim to a phishing attack, leading to unauthorized access to protected health information. This breach affected approximately 2,800 patients, necessitating formal notification as required by healthcare privacy regulations. The following month, in August, another phishing attack occurred under similar circumstances, impacting an additional 744 patients. Both incidents involved deceptive emails that tricked employees into disclosing credentials or sensitive data, though the specific tactics used by the attackers were not detailed in public disclosures. The organization publicly acknowledged the breaches through notifications posted on its official website, confirming the incidents but not specifying the exact types of data exposed or the operational systems targeted.

Kaleida Health responded by implementing remedial measures focused on preventing future occurrences. These actions included enhanced employee training programs designed to improve recognition of phishing attempts and reduce susceptibility to social engineering tactics. The organization did not disclose whether technical controls such as multi-factor authentication or email filtering systems were upgraded as part of these efforts. As a direct consequence of the breaches, Kaleida was required to notify a total of 3,544 patients across the two incidents, incurring regulatory notification costs and potential reputational damage. No information was provided regarding financial losses, legal repercussions, or disruptions to clinical care resulting from the attacks. The consecutive nature of the breaches within a two-month period highlighted ongoing vulnerabilities in the organization's security posture at that time.