UofL Health

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

UofL Health, based in Louisville, Kentucky, experienced a data breach due to a vulnerability in third-party software called MOVEit. The incident was first identified on June 1, 2023, when UofL Health received an alert from its external security vendor. A forensic investigation concluded on June 21, 2023, revealed that an unauthorized party had accessed certain files containing patient information. The compromised data may have included patients’ names, dates of service, dates of birth, patient account numbers, member ID numbers, Social Security numbers, and addresses. However, there was no evidence that the data had been further compromised or misused[1][4][7][10].

The breach was part of a larger incident affecting the MOVEit software, which impacted millions of people across various industries. The vulnerability was disclosed by MOVEit on May 31, and a patch was deployed the same day[10]. UofL Health was one of the thousands of organizations affected by this breach, which also involved other health systems like Johns Hopkins Medicine and Harris Health System[10].

UofL Health’s network and electronic medical records databases were not compromised, and the breach did not impact the security or normal operations of UofL Health’s systems[1][4]. The health system has taken steps to notify affected patients and is offering complimentary credit monitoring and identity theft protection services. They have also established a dedicated call center to answer any questions from patients[1][14].

In response to the incident, UofL Health has continued to implement additional technological and administrative measures to safeguard personal information, including reviewing protocols related to third-party vendors[7][14]. Affected individuals are encouraged to monitor their personal information for signs of fraud and identity theft and to contact credit reporting companies if any suspicious activity is detected[1].

Citations:

  1. https://uoflhealth.org/moveit/
  2. https://ufhealth.org
  3. https://www.bizjournals.com/louisville/news/2021/06/25/uofl-health-data-breach.html
  4. https://www.whas11.com/article/news/health/small-number-uofl-health-patients-impacted-by-moveit-data-breach/417-5c5a71ea-5a2e-4bc9-8aa9-0bb2e14b6a6b
  5. https://kykernel.com/99966/news/former-uk-students-weapon-possession-charges-reduced/
  6. https://www.wdrb.com/news/uofl-cybersecurity-expert-says-size-of-norton-healthcare-made-it-a-target-for-hackers/article_3183fc8e-f0f8-11ed-a137-23495b84afaa.html
  7. https://www.insideindianabusiness.com/articles/uofl-health-details-privacy-incident
  8. https://mycb.castlebranch.com
  9. https://louisville.edu/privacy
  10. https://www.beckershospitalreview.com/cybersecurity/kentucky-health-system-falls-victim-to-massive-moveit-breach.html
  11. https://kykernel.com/99729/news/former-uk-student-arrested-for-wanton-endangerment-after-allegedly-making-threats/
  12. https://www.wdrb.com/news/uofl-health-says-some-patients-impacted-by-third-party-software-hack/article_04bbd4cc-46e0-11ee-a5b6-c3a57adacda8.html
  13. https://healthitsecurity.com/news/uofl-health-data-breach-occurs-after-phi-sent-to-wrong-email
  14. https://www.prnewswire.com/news-releases/uofl-health-update-on-previously-disclosed-privacy-incident-301904670.html
  15. https://www.wdrb.com/news/uofl-health-says-systems-not-impacted-by-hack-of-third-party-company/article_df4add2c-1d37-11ee-a02a-5313b7593400.html
  16. https://www.courier-journal.com/story/news/local/2023/03/24/lawsuit-says-uofl-health-shares-patient-data-with-facebook-parent-meta/70043128007/
Breach Submission Date Aug 18, 2023
Converted Entity Name UofL Health
Converted Entity Type Healthcare Provider
State KY
Individuals Affected 8,175
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes