Cyber Incident Victim: University of Louisville

On September 11, 2018, the University of Louisville notified faculty and staff via mass email about a data breach impacting participants in its "Get Healthy Now" employee wellness program. The incident affected 247 current employees and retirees who had enrolled in the program between 2007 and 2014. Unauthorized actors accessed personal information including employee names, university-issued employee identification numbers, and physician names. In one isolated case, a limited amount of medical information was compromised. Program-specific documents related to health coaching sessions were also exfiltrated. The university clarified that no Social Security numbers or financial data were exposed in the breach. University officials emphasized they found no evidence suggesting the stolen information had been used for fraudulent purposes following forensic analysis. The breach originated from systems managed by Health Fitness, the third-party vendor administering the Get Healthy Now program, and impacted multiple client institutions beyond the University of Louisville.

The university first received notification of the security incident from Health Fitness on August 24, 2018, initiating an 18-day investigation period to verify affected individuals. By September 11, all 247 impacted persons had been directly contacted through individualized communications. Health Fitness offered affected individuals one year of complimentary credit monitoring services as remediation. The university directed concerned faculty and staff to contact the Get Healthy Now program office during standard business hours for additional assistance. No disruptions to university operations or academic functions were reported as a consequence of the breach. The incident exclusively compromised historical program participation records without affecting active employee databases or university information systems.