An employee electronic mailbox containing patient personal information was compromised following a cyber attack on Louisiana State University (LSU) medical centers.
According to LSU, thousands of patients were notified of the incident, exposing not only medical record numbers, account numbers, and also Social Security numbers. The Care Services Division detected the cyber intrusion coming from an employee’s electronic mailbox.
It appeared that the incident happened on September 15, 2020, and the access was only disabled three days after the discovery. LSU Health said the exposed data only contained ‘limited’ information at partner hospitals.
Hospitals like Lallie Kemp Regional Medical Center in Independence, Leonard J. Chabert Medical Center in Houma, W.O. Moss Regional Medical Center in Lake Charles, and many others are affected. Even the Interim LSU Hospital in New Orleans was also dragged into this massive cyber attack.
“The Health Care Services Division is not aware that the intruder actually accessed or misused the patient information in the employee’s mailbox. LSU Health Care Services Division is currently investigating the time frame of the patient information that may have been accessed,” said LSU in a statement.
After the intrusion was detected, the Health Care Services Division’s Compliance and Privacy Department began the long process of identifying the patients affected by the data breach. LSU said they’re continuously notifying the affected individuals to protect their info and credentials.
The exposed data is said to vary by location of care and email message. However, the common information compromised includes types of service received, phone numbers, addresses, insurance identification numbers, birth dates, and patients’ names.
“A few contained a patient’s bank account number and health information including a diagnosis. In most instances, there was limited information in the email or attachment, meaning that just a few of these identifiers were contained in the email,” added LSU.
The state hospital also clarified that it’s possible that the intruder accessed the information, and LSU isn’t aware that the information came from an employee’s mailbox. They also added that affected individuals should monitor their credit reports for any potential identity theft.
At the time being, the healthcare provider said they are undergoing strict privacy and security policies to review what improvements need to be done. Additional methods of protecting the email system are being reviewed to determine the risks for breach in the future.
More importantly, employees are trained and required to complete information security training to prevent the incident from happening again.