HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

LSU Health Discovers Additional Hospital Affected by September 2020 Email Account Breach

The protected health information of certain patients of LSU Health University Medical Center-New Orleans has potentially been compromised in an email security breach.

LSU Health New Orleans Health Care Services Division previously announced on November 20, 2020 that it has suffered a security breach involving the email account of an employee in September 2020. At the time, it appeared that the breach only affected certain patients who had received medical services at Lallie Kemp Regional Medical Center in Independence; Leonard J. Chabert Medical Center in Houma; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; Bogalusa Medical Center in Bogalusa; University Medical Center in Lafayette; or Interim LSU Hospital in New Orleans.

LSU Health’s ongoing investigation revealed the data of certain patients of its partner hospital, University Medical Center-New Orleans, was also stored in the compromised email account.

The breach occurred on September 15, 2020 and was discovered on September 18.  While the email account was accessed by an unauthorized individual, no specific evidence of PHI access or misuse has been discovered.

Please see the HIPAA Journal Privacy Policy

The types of information in the account varied from patient to patient and may have included patients’ names, phone numbers, addresses, medical record numbers, account numbers, Social Security numbers, dates of birth, dates of service, types of services received, and health insurance information. A small percentage of patients may have had their bank account number and health information exposed.

Beebe Medical Foundation Affected by Blackbaud Ransomware Attack

Lewes, DE-based Beebe Medical Foundation has announced it has been affected by the ransomware attack on Blackbaud Inc. In a December 28, 2020 breach notice, Beebe Medical Foundation explained that it received notification from Blackbaud on July 16, 2020 about the ransomware attack which saw Blackbaud’s systems compromised between February 7, 2020 and May 20, 2020.

It only became apparent that Beebe data was affected in November 2020. After conducting a review of the actual data involved, Beebe confirmed on December 2, 2020 that the personal information of 56,953 individuals had been obtained by the attackers. The stolen data included names, dates of birth; clinician names; dates of screening; visit dates; and the department related to medical services provided.

Blackbaud paid the ransom and received assurances that the stolen data has now been deleted; however, out of an abundance of caution, Beebe is issuing notifications to affected individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.