270,000 Patients Affected by Louisiana Hospital Cyberattack
Lake Charles Memorial Health System has confirmed that the sensitive information of almost 270,000 patients was compromised in an October 2022 cyberattack. The attack was detected by the health system’s security team on October 21, 2022, with the internal investigation concluding on October 25, 2022, that hackers had gained access to its network and exfiltrated files containing patient data.
A website notice states that notification letters were mailed to affected individuals on December 23, 2022, and that the files stolen in the attack included information protected under HIPAA, such as full names, addresses, dates of third, medical record numbers, patient ID numbers, payment information, health insurance information, and limited clinical information. Some Social Security numbers were also compromised, but the attackers did not gain access to its electronic medical record system. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The data breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 269,752 patients.
The Hive ransomware gang claimed responsibility for the attack on Lake Charles Memorial Health System, which operates the Lake Charles Memorial Hospital, Moss Memorial Hospital, the Archer Institute, Memorial Medical Group, and the Memorial/LSUHSC Family Medicine Residency Program. Hive claims to have exfiltrated 270 GB of data from the Louisiana health system and said a ransom demand of $900,000 was issued to ensure the stolen data was deleted. The group also said that if the ransom was paid, it would share details of the vulnerabilities that were exploited to gain access to the network.
Lake Charles Memorial Health System was contacted by the gang on October 25, 2022, which claimed to have gained access to the network 12 days previously. While Lake Charles Memorial Health System reportedly entered into negotiations with the gang, those negotiations appear to have broken down, as in mid-November, Hive started publishing some of the stolen data on its data leak site, including contracts, bills of materials, scans, and documents, some of which contained patient data.