Baton Rouge General Posts Notice of Data Breach, Raising Additional Questions for Many Patients

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Recently, Baton Rouge General confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive patient data contained on Baton Rouge General’s computer network. According to Baton Rouge General, the investigation is ongoing, and it has not yet conclusively determined what data types were leaked as a result of the cyberattack. However, according to another news outlet, the ransomware attackers posted evidence of exfiltrated data, including personal and protected health information. Once Baton Rouge General confirms which patients were affected and what data was subject to unauthorized access, the hospital indicates it will begin sending out data breach notification letters to all individuals who were impacted by the recent incident.

If you receive a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Baton Rouge General data breach, please see our recent piece on the topic here.

What We Know About the Baton Rouge General Data Breach

According to an official notice filed by the hospital, on June 28, 2022, Baton Rouge General detected suspicious activity across its computer systems. In response, the hospital worked with third-party cybersecurity specialists to investigate the incident. This investigation revealed that there was unauthorized access to its network between June 24, 2022 to June 29, 2022. Baton Rouge General also confirmed that the unauthorized actors had access to sensitive patient data as a result of the attack.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Baton Rouge General then began the process of reviewing the affected files to determine what information was compromised and which consumers were impacted. This review is still underway. Baton Rouge General stated that it would send out data breach letters to all individuals whose information was compromised as a result of the recent data security incident once its review is complete.

However, since the hospital posted the “Notice of Data Event” on its website, Hive, a well-known and prolific ransomware gang, took credit for the attack and started posting stolen data on the group’s leak site. Evidently, the exfiltrated data includes patients’ personal and protected health information, including “mental health updates to courts, batched billing for named patients with named diagnostic tests from LabCorp, some employee health records, ACH records going back to 2009, and scanned pdfs of patient files with demographic and medical information, such as patient intake forms for pain management at Baton Rouge Rehab Hospital.”

Despite this, Baton Rouge General’s notice continues to state that it “is unaware of any actual or attempted misuse of information in relation to the incident.”

Founded in 1900, Baton Rouge General is a healthcare system in Baton Rouge, Louisiana. Baton Rouge General operates three main campuses, as well as several dozen clinics throughout the area and the Regional Burn Center. Baton Rouge Hospital, through all its offices and affiliates practices, provides the following services to patients:

  • Behavioral Health

  • Birth Center

  • Bone Health

  • Burn Care

  • Cancer Care

  • Cardiovascular Care

  • Dermatology

  • Emergency Services

  • Gastroenterology

  • Neurosciences

  • OB/GYN Services

  • Orthopedics

  • Pediatrics

  • Primary/Urgent Care

  • Radiology & Imaging

  • Rehabilitation & Therapy

  • Surgery

Baton Rouge General employs more than 3,500 people and generates approximately $513 million in annual revenue.

The Significance of Compromised Protected Health Information

The Baton Rouge General data breach is only one of the more recent instances where hackers target a large hospital or healthcare network. In fact, healthcare providers have been one of the most frequently targeted organizations in 2022. As cybercriminals and other bad actors continue to focus their efforts on obtaining patients’ protected health information, it is important for victims of a healthcare data breach to understand what is at risk and what their options are in the wake of a healthcare data breach.

The first step is to understand what is meant by “protected health information.” Protected health information, which is often called PHI, is demographic information, medical history information, test and laboratory results, mental health information, insurance information and other data that healthcare professionals collect to identify a patient and determine the care a patient needs. The collection and use of PHI are controlled by the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA.

Not all healthcare-related data is considered “protected health information,” however. For health information to be considered “protected,” it must contain at least one identifier. Under HIPAA, there are 18 different identifiers, including:

  • Name;

  • Address (anything smaller than a state);

  • Social security number;

  • Dates (more specific than just a year) related to an individual, such as a patient’s birthdate, admission date, etc.;

  • Email address;

  • Phone number;

  • Fax number;

  • Medical record number;

  • Health plan beneficiary number;

  • Account number;

  • Certificate or license number;

  • Vehicle identifiers, such as serial numbers and license plate numbers;

  • Device identifiers and serial numbers;

  • Web URL;

  • Internet protocol (IP) address;

  • Biometric IDs, such as a fingerprint or voice print;

  • Full-face photographs and other photos of identifying characteristics; and

  • Any other unique identifying characteristic.

Healthcare data breaches are very concerning based on the fact that this information is incredibly personal. However, aside from the privacy risks, there is also a very real danger of physical and financial harm. Hackers who obtain protected health information may sell the information to another person, who can then use the stolen patient data to obtain healthcare services under the patient’s name. This not only leaves the victim responsible for the bill but can also lead to misleading and incorrect information being added to their medical records.

Those who believe their protected health information was compromised in a data breach should reach out to an experienced data breach lawyer to discuss their options.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Console and Associates, P.C.

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide