Thousands of Louisiana patients have fallen victim cyber attack that struck the medical centers of the American state. THE LSU Health New Orleans issued one notice for violation HIPAA on November 20, after attack which targeted an employee's email account.
"The intrusion appears to have occurred on September 15, 2020 and mailbox access was discovered and turned off on September 18, 2020," LSU Health said.
Emails and attachments to the compromised account were restricted information about patients who were hospitalized in Lallie Kemp Regional Medical CenterThe Leonard J. Chabert Medical CenterThe WO Moss Regional Medical Center, the former Earl K. Long Medical Center at Baton Rouge, the Bogalusa Medical CenterThe University Medical Center in Lafayette and the temporary LSU hospital in New Orleans.
Patient information leaked from the breach includes names, medical records, account numbers, dates of birth, social security numbers, service dates, types of services received, telephone numbers and / or addresses, and insurance identification numbers.
The type and number of patient information affected by incident, vary depending on location and email. LSU said some "emails" "contained patients' bank account numbers and health information, including a diagnosis."
LSU Health said that while "this information may be accessible," the health care department "did not find that the intruder actually had access to or misused patient information in the employee's mailbox."
The total number of patients affected by infringement has not yet become known.
"When the intrusion was discovered, the LSU Department of Health Services Compliance and Personal Data Protection began the difficult and arduous process of identifying any patients whose information may have been compromised," LSU Health said.
"While thorough research has found thousands of patients, we continue to discover others."
LSU encourages all patients who may have been affected to monitor their credit transactions for possible identity theft. The healthcare provider said that the "strict privacy and security policies" that have been in place so far will be reviewed to determine if improvements can be made.