On November 16, 2022, Lake Charles Memorial Health System (“LCMH”) confirmed that an unauthorized party was able to gain access to its computer network. Previous reports indicate that the cyberattack on LCMH was a Hive ransomware attack, although the organization has yet to confirm whether that is the case. However, a prominent data breach news source confirmed the attack after the ransomware group shared email communications between the group and LCMH. While the investigation into the Lake Charles Memorial Health System is still in its infancy, preliminary reports suggest that the attack leaked patients’ protected health information as well as information contained in employee personnel files.
What We Know About the Lake Charles Memorial Health Data Breach
The available information regarding the Lake Charles Memorial Health breach comes from a recent news report documenting the communications between the hackers and LCMH. Evidently, on October 25, 2022, LCMH received an email from the Hive ransomware group explaining that the group had obtained access to LCMH’s network for 12 days and had exfiltrated 270 GB of files, including patient and employee data. Notably, Hive indicated that it removed but did not encrypt any of the data on the LCMH network.
Based on the report, Hive reached out over email and by phone to discuss the payment of a ransom; however, all efforts at reaching someone from LCMH were unsuccessful.
Hive appears to have demanded a ransom of $900,000. In exchange, the organization would agree to delete all the data and help LCMH better understand the system vulnerabilities that allowed Hive to access the LCMH computer network. There is no evidence that LCMH responded with a counteroffer. However, on November 3, 2022, a representative with LCMH responded to Hive, explaining that LCMH will review the offer with management. However, Hive did not hear back from LCMH.
On November 15, 2022, Hive started to post some of the exfiltrated information on the organization’s leak site (a website where hackers post proof that they successfully carried out an attack). Again, while the data types that were leaked have not yet been confirmed by LCMH, based on reports it appears that the leaked data consists of patients’ protected health information as well as internal documents and personnel files.
On November 16, 2022, Lake Charles Memorial Health System released the following statement:
Lake Charles Memorial Health System (“LCMH”) recently learned of unauthorized activity on our computer network. Our cybersecurity team quickly identified and blocked the activity. Due to our team’s quick response, the incident did not impact any LCMH patient care or clinical operations. We are working with industry experts to investigate and address this issue. We also reported the incident to law enforcement. Protecting the security and confidentiality of the information we maintain is of the utmost importance to us. LCMH is continuing to assess the information involved, and will notify affected individuals in accordance with applicable laws and regulations
Lake Charles Memorial Health System is a privately-owned health system in Lake Charles, Louisiana. LCMH consists of the following practices: Lake Charles Memorial Hospital, Lake Charles Memorial Hospital for Women, Moss Memorial Health Clinic, Archer Institute, Memorial Medical Group, Memorial/LSUHSC Family Medicine Residency Program. Lake Charles Memorial Health employs more than 2,520 people and generates approximately $369 million in annual revenue.
If you receive a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Lake Charles Memorial Health data breach, please see our recent piece on the topic here.