Data breach may have affected some residents
LSU Health New Orleans Health Care Services Division recently became aware of a cyber intrusion into an employee’s electronic mailbox. Email messages or attachments contained limited information about patients who received care at Bogalusa Medical Center in Bogalusa; Lallie Kemp Regional Medical Center in Independence; Leonard J. Chabert Medical Center in Houma; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; University Medical Center in Lafayette; and Interim LSU Hospital in New Orleans. It is possible that this information was accessible.
The intrusion appears to have occurred on Sept. 15, and the mailbox access was discovered and disabled on Sept. 18. The Health Care Services Division is not aware that the intruder actually accessed or misused the patient information in the employee’s mailbox. LSU Health Care Services Division is currently investigating the time frame of the patient information that may have been accessed.
When the intrusion was discovered, the LSU Health Care Services Division’s Compliance and Privacy Department began the process of identifying any patients whose information may have been compromised. While the exhaustive investigation has found thousands of patients, work continues to discover any others. Affected patients and the public are being notified.
The type and amount of patient information varied by location of care and each email message but may have included: patients’ names; medical record numbers; account numbers; dates of birth; Social Security numbers; dates of service; types of services received; phone numbers; and/or addresses; and insurance identification numbers. A few contained a patient’s bank account number and health information including a diagnosis. In most instances, there was limited information in the email or attachment, meaning that just a few of these identifiers were contained in the email.
Out of an abundance of caution, patients who received care at the above hospitals are encouraged to monitor their credit reports for potential identity theft. The website www.identitytheft.gov provides a step-by-step process to respond to, and recover from, incidents of identity theft.
LSU Health Care Services Division sincerely regrets any inconvenience or concern this incident may cause affected patients. Although strict privacy and security policies were in place at the time of the intrusion, security practices and procedures as well as additional available methods for protecting the email system are being reviewed to determine if improvements can be made to further reduce the risk of such a breach in the future. Any changes will be included in the information security training that all employees are required to complete.
Any questions concerning this matter should be directed to LSU Health Care Services Division’s Compliance and Privacy Department at 1-800-735-1185. Please leave a name and a phone number to be reached in the future. Calls will be returned as soon as possible.