Baton Rouge General confirmed a data breach

Featured image

Share this article

Hive Ransomware over a mysterious hooded figure in a circle surrounded by another circle with image of Baton Rouge General Hospital\'s building, surrounded by honeycomb pattern on top of blue tinted image of a stressed out female doctor sitting at a computer holding her forehead with eyes closed, Paubox logo in the bottom right

Baton Rouge General Health System (GHS) recently confirmed a data breach in its computer system. They operate 20 clinics and medical facilities in the Baton Rouge area and are a Mayo Clinic care network member. 

Unfortunately, this isn’t the first (and won’t be the last) healthcare organization to become a cyberattack victim.

The U.S. is experiencing a crisis of attacks on healthcare-covered entities and their business associates. IBM’s 2022 Cost of a Data Breach Report says healthcare data breaches spiked by almost $1 million per event to reach a record high of $10.1 million.

Email security must be a top priority to safeguard healthcare organizations, their patients, and their protected health information (PHI), And to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email

Healthcare organizations that don’t try harder will face the same issues that GHS currently battles.

What initially happened?

On June 29, a local, Baton Rouge news station issued a statement from GHS about a recent hack.

[GHS] is working through the effects of a cyber attack that began Tuesday. First, and most importantly, the attack has not changed our ability to care for patients. . . . The only thing that’s a little different today . . . is that we’re temporarily charting the old-fashioned way – on paper – until we can safely bring our electronic medical record and other patient systems back online.

Two months later, GHS confirmed the unauthorized access on its website. The system became aware of suspicious activity on June 28 and immediately launched an inquiry.

The investigation revealed that someone unlawfully accessed certain directories within its network between June 24 and 29. And that the threat actor could access certain directories. Given this, GHS is now undertaking a comprehensive review to determine what PHI and which patients the breach affected. Once complete, it will notify those impacted via mailed notification letters.

There is no information about the breach on the Office for Civil Rights’ (OCR) Breach Portal website. The health system did not confirm the type of data breach, or the PHI accessed.

Follow-up: a possible ransomware attack at Baton Rouge General

By July 1, before GHS’ notice, word circulated that the health system was hit by ransomware. Ransomware is malicious software that holds data hostage until someone pays a ransom to release it.

RELATED: Ransomware is more common in healthcare than you think

A copy of the ransom note pointed to the Hive group though the threat group did not confirm the information. Last year, the FBI released a flash alert about Hive ransomware. The malware typically enters a system through phishing emails or leveraged RDP (remote desktop protocol).

Once in a system, the threat actors exfiltrate and encrypt data then send a ransom note. Interestingly, GHS data has not shown up on Hive’s website, which could mean that GHS:

  • Paid the ransom
  • Are negotiating the ransom
  • Were given more time

GHS did not respond to inquiries but did release its online notice after this information was released. Since then, further reports suggest that Hive did post some of the exfiltrated data on its website. PHI exfiltrated may include court-related documentation, billing, employee health records, and patient demographic and medical information.

Costs of breach at Baton Rouge General

According to ransomware experts, ransomware recovery is a lengthy, complex process with huge expenses from lost time to lost opportunities. As we wait for more information from Baton Rouge General, we’ve already seen some of the costs of its ransomware attack. First, GHS announced and moved quickly to a paper EHR (electronic health records) system.

SEE ALSO: HHS alert: take a proactive approach to safeguarding EHR

Soon after, there were reports that GHS experienced interruption and downtime. The health system sent some patients to other locations. Furthermore, it seems that some EHR were permanently lost. But this is not where ransomware (and more than likely GHS’) costs end.

To add to these immediate losses are possible exorbitant monetary expenses:

  • Ransom (if paid)
  • Recovery and decryption fees
  • Cybersecurity additions and alterations

GHS may also have to deal with a HIPAA violation as well as an OCR investigation and fine. Finally, something we’ve seen a lot of recently, angry patients may file lawsuits given the breach of trust. In fact, patients of Ohio’s Memorial Health System recently filed after a Hive ransomware attack.

Ransomware and healthcare

This attack is just one of many recent attacks against large hospitals or healthcare networks. According to the U.S. Health & Human Services (HHS), attacks in the first five months of 2022 nearly doubled from the same period last year.

RELATED: Why is healthcare a juicy target for cybercrime?

Cybercriminals target the healthcare industry with its rich PHI. And given the tired, stressed staff in most healthcare organizations, they know that an email scheme more than likely works.

In April 2022, HHS even released an analyst note about the Hive group. Within, HHS states:

Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Knowing how to protect and what to protect as well as what to protect against is vital.

Keep patient PHI safe

First, the FBI and all governmental institutions strongly discourage organizations from paying a ransom. While we don’t know if GHS paid, we know that paying is not smart business. Doing so may lead the hackers to attack more organizations and incentivize other cybercriminals to engage in these activities. Furthermore, paying a ransom does not always guarantee a full recovery of data.

Rather than deal with the costs of a cyberattack, organizations must ensure strong cybersecurity and HIPAA compliance. This includes various elements but one of the most important is up-to-date employee awareness training.

RELATED: How to ensure your employees aren’t a threat to HIPAA compliance

But training is not enough on its own as human error is inevitable. Therefore, a cybersecurity program must incorporate layers of protection. Security measures should include:

  • Access controls (e.g., multi-factor authentication)
  • Segmentation
  • Offline backup
  • DLP (data loss prevention)
  • Data encryption
  • Endpoint security
  • Monitoring/responding procedures

And given the continuous use of phishing in ransomware attacks strong cybersecurity means a solid email security program.

Paubox Email Suite: proactive approach to email security

Every healthcare organization needs to implement HIPAA compliant email security. Built to seamlessly integrate with your current email platform, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outgoing communication.

Messages go straight to patients’ inboxes, with no unnecessary passwords or portals to navigate. PHI stays contained, and email, though considered the worst threat vector, remains secured.

Even better are our inbox protections. Our HIPAA compliant, HITRUST CSF certified solution impedes such techniques as spoofing with ExecProtect and keeps malware and phishing emails at bay with Zero Trust Email.

SEE ALSO: Why health systems must take ransomware protection seriously

Healthcare organizations must always be vigilant and take the extra time to implement and update their cybersecurity. We still do not know what happened to GHS but will more than likely use this data breach as a teachable moment.

Ransomware can be stopped before a situation becomes dire when healthcare organizations utilize smart cybersecurity measures like HIPAA compliant email.

Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox secures 70 million HIPAA compliant emails every month.

Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022