UofL Health Data Breach Occurs After PHI Sent to Wrong Email

June 28, 2021 - UofL Health in Louisville, Kentucky sent notification letters to over 40,000 patients explaining that their protected health information (PHI) was accidentally sent to the wrong email address in a recent health data breach.

The patients’ PHI was sent to an email address outside of the health system’s network, but the recipient did not view or access any information. UofL did not specify what PHI was contained in the email, but the recipient confirmed that the email was quickly deleted.

“On June 7, we sent some of our patients a letter explaining that we had recently discovered that some UofL Health emails containing some of their health information were sent to an external domain. We provided that notice based on our best knowledge as of that day,” UofL explained in a notice on its website.

“The next day, on June 8, we received a response from the owner of the external domain, providing us with technical evidence that the emails we were concerned about were never viewed or accessed, and have been deleted. We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner.”

UofL offered identity protection services in its initial letter to impacted patients and will continue to offer those services despite confirming that the data has been secured and was not viewed.

While this breach was likely due to human error, other recent healthcare data breaches are the result of malicious cyberattacks. A recent ransomware attack on Hoya Optical Labs exposed the personally identifiable information (PII) of over 3,000 patients, including Social Security numbers and bank account information.

In addition, a recent survey conducted by IT security company Sophos revealed that 63 percent of healthcare organizations that were not impacted by ransomware in the last year expect to be the target of a cyberattack in the near future.