The data of thousands of patients has been exposed following a cyber-attack on Louisiana State University medical centers.
LSU Health New Orleans issued a HIPAA breach notification on November 20 after detecting a cyber-intrusion into an employee’s electronic mailbox.
"The intrusion appears to have occurred on September 15, 2020, and the mailbox access was discovered and disabled on September 18, 2020," said LSU Health.
Email messages or attachments in the compromised account contained limited information about patients who received care at Lallie Kemp Regional Medical Center in Independence; Leonard J. Chabert Medical Center in Houma; W. O. Moss Regional Medical Center in Lake Charles; the former Earl K. Long Medical Center in Baton Rouge; Bogalusa Medical Center in Bogalusa; University Medical Center in Lafayette; and Interim LSU Hospital in New Orleans.
Data exposed in the attack may have included patients’ names, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, phone numbers and/or addresses, and insurance identification numbers.
The type and amount of patient information compromised in the incident varied by location of care and each email message. LSU said that "a few" email messages "contained a patient’s bank account number and health information including a diagnosis."
LSU Health said that while "it is possible that this information was accessible," the Health Care Services Division "is not aware that the intruder actually accessed or misused the patient information in the employee’s mailbox."
A final tally has not yet been reached of the total number of patients who may have been affected by the incident.
"When the intrusion was discovered, the LSU Health Care Services Division’s Compliance and Privacy Department began the difficult and laborious process of identifying any patients whose information may have been compromised," said LSU Health.
"While the exhaustive investigation has found thousands of patients, work continues to discover any others."
LSU has encouraged all the patients who may have been affected to monitor their credit reports for potential identity theft.
The healthcare provider said that "strict privacy and security policies" that were in place at the time of the intrusion would now be reviewed to determine if improvements can be made.