Louisiana clinic data breach affects over 300K patients
by Ryan Ozawa
The Baton Rouge Clinic, founded in 1946, takes pride in the wide range of healthcare services it provides, supporting entire families from pediatrics to geriatrics. But the faith its patients have in “the latest in medical technology” may be shaken after it was revealed this month that the Baton Rouge Clinic had suffered “a cyberattack against its electronic database.”
On September 2, 2020, the clinic turned up on the infamous “HIPAA Wall of Shame,” a public list of breaches of unsecured protected health information tracked by the federal Department of Health & Human Services (HHS) and under investigation by the Office of Civil Rights (OCR_. The company posted a letter to its patients on its website a week later.
On July 8, 2020, Baton Rouge Clinic lost access to its electronic files, including email and some patient-related records, when attackers targeted its database.
“The attack was resolved and access to the electronic files returned,” the company says. “The attacker confirmed that none of the files were used or disclosed to anyone and any files taken were destroyed.”
Although the clinic’s disclosure doesn’t mention ransomware, its description of the incident fits the profile.
The clinic retained the help of “technology experts” to investigate and recover from the attack, as well as to ensure it does not happen again.
Baton Rouge Clinic doesn’t explain how it recovered the encrypted data, for which attackers typically demand substantial payments. And it has to take the attacker’s word that the information was destroyed and not distributed.
Due to this HIPAA violation, Baton Rouge Clinic faces fines ranging from $100 to $50,000 per violation or per record, up to $1.5 million per year.
What information was exposed?
The company says that it has no evidence that electronic medical or billing records were accessed or viewed, but security experts recommend that ransomware incidents be treated as data breaches. According to the official report, 308,000 people’s information was involved.
The clinic recommends that patients respond as if their records were disclosed. This includes monitoring credit history, medical claims, and related online accounts.
What happens next?
Baton Rouge Clinic says it has taken several steps in the wake of the hacking incident, including employee training, electronic safeguards, and monitoring by cybersecurity experts. As email is listed as one of the systems compromised, the employee education response makes sense because emails is one of the most common threat vectors that hackers use to gain access to a company network.
“Unfortunately, cyberattacks are increasing at an alarming rate and no organization is completely immune from such nefarious activity despite all of the security initiatives taken to prevent such attacks,” writes CEO Edgar L. Silvey. “Please know that security of your information remains a top priority of the Clinic.”
How can an attack like this be avoided?
And Paubox Email Suite Plus seamlessly integrates with your existing email provider to send encrypted email by default, requiring no changes in user behavior.
Stop ransomware from paralyzing your business and compromising your patients.