Posted On November 17, 2022 Consumer Privacy & Data Breaches
Recently, Lake Charles Memorial Health System (“LCMH”) appears to have been the target of a Hive ransomware attack, although the organization has yet to post notice of the breach or provide any formal notice of the incident. However, a prominent data breach news source confirmed the attack after the ransomware group shared email communications between the group and LCMH. While the investigation into the Lake Charles Memorial Health System is still in its infancy, preliminary reports suggest that the attack leaked patients’ protected health information as well as information contained in employee personnel files.
If you receive a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the possible LCMH data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone who believes they may have been affected by the breach and is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Lake Charles Memorial Health System.
The available information regarding the Lake Charles Memorial Health breach comes from a recent news report documenting the communications between the hackers and LCMH. Evidently, on October 25, 2022, LCMH received an email from the Hive ransomware group explaining that the group had obtained access to LCMH’s network for 12 days and had exfiltrated 270 GB of files, including patient and employee data. Notably, Hive indicated that it removed but did not encrypt any of the data on the LCMH network.
Based on the report, Hive reached out over email and by phone to discuss the payment of a ransom; however, all efforts at reaching someone from LCMH were unsuccessful.
Hive appears to have demanded a ransom of $900,000. In exchange, the organization would agree to delete all the data and help LCMH better understand the system vulnerabilities that allowed Hive to access the LCMH computer network. There is no evidence that LCMH responded with a counteroffer. However, on November 3, 2022, a representative with LCMH responded to Hive, explaining that LCMH will review the offer with management. However, Hive did not hear back from LCMH.
On November 15, 2022, Hive started to post some of the exfiltrated information on the organization’s leak site (a website where hackers post proof that they successfully carried out an attack). Again, while the data types that were leaked have not yet been confirmed by LCMH, based on reports, it appears that the leaked data consists of patients’ protected health information as well as internal documents and personnel files.
On November 16, 2022, Lake Charles Memorial Health System released the following statement:
Lake Charles Memorial Health System (“LCMH”) recently learned of unauthorized activity on our computer network. Our cybersecurity team quickly identified and blocked the activity. Due to our team’s quick response, the incident did not impact any LCMH patient care or clinical operations. We are working with industry experts to investigate and address this issue. We also reported the incident to law enforcement. Protecting the security and confidentiality of the information we maintain is of the utmost importance to us. LCMH is continuing to assess the information involved, and will notify affected individuals in accordance with applicable laws and regulations
Lake Charles Memorial Health System is a privately-owned health system in Lake Charles, Louisiana. LCMH consists of the following practices: Lake Charles Memorial Hospital, Lake Charles Memorial Hospital for Women, Moss Memorial Health Clinic, Archer Institute, Memorial Medical Group, Memorial/LSUHSC Family Medicine Residency Program. Lake Charles Memorial Health employs more than 2,520 people and generates approximately $369 million in annual revenue.
Based on early reports, it appears that the cyberattack targeting Lake Charles Memorial Health System resulted in patients’ protected health information being compromised. This is far from the only cyberattack targeting protected health information. In fact, this year alone, more than 2 million patients have had their personal health information compromised. As cybercriminals and other bad actors continue to focus their efforts on obtaining patients’ protected health information, it is important for victims of a healthcare data breach to understand what is at risk and what their options are.
Protected health information, or PHI, is demographic information, test and laboratory results, medical history information, insurance information, mental health information or any other data that healthcare providers collect during the course of a patient’s treatment. The collection and use of protected health information is controlled by the Health Insurance Portability and Accountability Act of 1996, more commonly referred to as HIPAA. Of course, not all healthcare-related information is considered protected healthcare information—only data that contains an identifier is considered PHI. This is because, without an identifier, there is no way for anyone to connect data back to a specific patient.
There are 18 different identifiers outlined in HIPAA, including a patient’s:
Of course, your health information is very personal. And, based on this reason alone, healthcare data breaches are concerning. However, aside from an invasion of privacy, these incidents also put you at risk of experiencing financial—and even physical—harm.
In the worst-case scenario, hackers sell the information on the dark web to someone who is looking to receive medical care without paying for it. Once the buyer of your information completes the purchase, they steal your identity, going to the doctor’s office pretending to be you. This not only leaves you responsible for the “fake patient’s” medical bills, but it can also lead to misleading and incorrect information being included in your medical records.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by a data breach, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.