Cyber Incident Victim: Louisiana State University Health
Date:
Sep 2020
Location:
United States of America
Summary
A cyber-attack targeting Louisiana State University Health compromised an employee's email mailbox, exposing sensitive patient information across multiple medical facilities. The breach involved varied personal and medical data, including names, Social Security numbers, dates of birth, insurance details, diagnoses, and in limited cases, bank account information. The institution detected and terminated unauthorized access within days, initiating a review of affected individuals while enhancing security protocols. Credit monitoring services were deployed for potential identity theft risks, though the total number of impacted patients remained undetermined at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 15, 2020, Louisiana State University Health (LSU Health) experienced a cyber-intrusion targeting an employee’s electronic mailbox. The unauthorized access was detected and disabled by September 18, 2020, limiting the exposure window to three days. The compromised mailbox contained emails and attachments with sensitive patient information from multiple LSU Health facilities, including names, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of medical services received, contact information, and insurance identification numbers. A subset of emails also included bank account numbers and specific health details such as diagnoses. The scope of compromised data varied across locations, with some patients experiencing exposure of more extensive personal and financial details than others. LSU Health initiated an internal investigation upon discovery and later issued an official HIPAA breach notification on November 20, 2020, confirming the incident publicly.
The breach impacted thousands of patients, though LSU Health acknowledged it had not finalized the total number of affected individuals at the time of disclosure. In response, the LSU Health Care Services Division’s Compliance and Privacy Department undertook a manual review of the compromised mailbox to identify all potentially exposed patient records. The organization implemented credit monitoring services for victims to mitigate identity theft risks stemming from the exposure of financial identifiers and Social Security numbers. Concurrently, LSU Health launched an internal review of its privacy and security policies to strengthen protections against future incidents, though no specific technical or procedural gaps were publicly disclosed. The incident underscored operational challenges in managing email-based data exposures, particularly given the variability in the types of sensitive information stored across communications related to patient care.