Baptist Health Louisville in Kentucky recently notified 880 patients of a phishing incident. The incident was also reported to the U.S. Department of Health and Human Services.
According to a substitute notice in response to the breach, on October 3, Baptist Health discovered that an employee’s email account credentials were obtained by an unauthorized third-party on October 2, and had been used to generate “phishing” emails to other email accounts.
Baptist Health immediately disabled the email accounts, changed the account passwords, and conducted a thorough investigation that could not rule out that an unauthorized third-party may have viewed the employee’s emails. Baptist Health then conducted a review of the affected employee’s email accounts and confirmed that some of the emails contained patient information, and may have included patients’ names, dates of birth, medical record numbers, treatment and/or clinical information, and in some instances Social Security numbers.
Although Baptist Health states there is currently no reason to believe that patient information has been used improperly, they began mailing letters to affected patients on November 21, 2017, and established a dedicated call center to answer any questions patients may have regarding the incident.
Patients whose Social Security numbers were potentially involved are being offered a one- year complimentary credit monitoring and identity protection service.
In response to the incident, Baptist Health notes that they are reinforcing education with their staff regarding “phishing” emails and they have strengthened the log-in process for remote email access.