[BreachExchange] Louisiana Hospitals Report Data Breach

Wed Nov 25 10:36:24 EST 2020

https://www.infosecurity-magazine.com/news/louisiana-hospitals-report-data/

The data of thousands of patients has been exposed following a
cyber-attack on Louisiana State University medical centers.

LSU Health New Orleans issued a HIPAA breach notification on November
20 after detecting a cyber-intrusion into an employee’s electronic
mailbox.

"The intrusion appears to have occurred on September 15, 2020, and the
mailbox access was discovered and disabled on September 18, 2020,"
said LSU Health.

Email messages or attachments in the compromised account contained
limited information about patients who received care at Lallie Kemp
Regional Medical Center in Independence; Leonard J. Chabert Medical
Center in Houma; W. O. Moss Regional Medical Center in Lake Charles;
the former Earl K. Long Medical Center in Baton Rouge; Bogalusa
Medical Center in Bogalusa; University Medical Center in Lafayette;
and Interim LSU Hospital in New Orleans.

Data exposed in the attack may have included patients’ names, medical
record numbers, account numbers, dates of birth, Social Security
numbers, dates of service, types of services received, phone numbers
and/or addresses, and insurance identification numbers.

The type and amount of patient information compromised in the incident
varied by location of care and each email message. LSU said that "a
few" email messages "contained a patient’s bank account number and
health information including a diagnosis."

LSU Health said that while "it is possible that this information was
accessible," the Health Care Services Division "is not aware that the
intruder actually accessed or misused the patient information in the
employee’s mailbox."

A final tally has not yet been reached of the total number of patients
who may have been affected by the incident.

"When the intrusion was discovered, the LSU Health Care Services
Division’s Compliance and Privacy Department began the difficult and
laborious process of identifying any patients whose information may
have been compromised," said LSU Health.

"While the exhaustive investigation has found thousands of patients,
work continues to discover any others."

LSU has encouraged all the patients who may have been affected to
monitor their credit reports for potential identity theft.

The healthcare provider said that "strict privacy and security
policies" that were in place at the time of the intrusion would now be
reviewed to determine if improvements can be made.