Updated on 2022-12-29: Louisiana Healthcare System Delayed Reporting Breach to HHS OCR
An October 2022 ransomware attack that affected IT systems at Louisiana’s Lake Charles Memorial Health System compromised sensitive data belonging to about 270,000 patients. The organization disclosed the incident in late October, but did not notify the US Department of health and Human Services Office for Civil Rights (HHS OCR) until December 22, and began sending patients notification letters on December 23.
“We are offering individuals whose Social Security number may have been included with complimentary credit monitoring and identity theft protection services. Patients are encouraged to review statements from their health insurer and healthcare providers, and to contact them immediately if they see any services they did not receive.” – LCMHS
Note
- In this case, the reporting requirement seems to be 60 days so Lake Charles is compliant, but waiting that amount of time to notify impacted customers is the issue. Reports say Lake Charles refused to pay the ransom demand, so allow some time for negotiations. But customers should have been notified faster. Lesson to learn is to have the breach response process in place and tested long before an event.
- That is a long time for customer notification. While it’s tempting to hold off making notifications until you’re 100% certain, you need to put a cap of (at most) a couple of weeks to keep your customers comfortable. More transparency is expected. Make sure that you’re able to provide information and updates as you move along, not holding back until you have absolutely every detail nailed down.
- Many criticize mandatory reporting requirements introduced by regulations such as the EU General Data Protection Regulation (GDPR). However, delayed reporting can have serious impacts on the affected individuals such as exposing them to the risk of fraud.
- While earlier might have been better, I tend to be forgiving of hard choices made by other professionals.
Read more in
- Lake Charles Memorial Health System Notice to Our Patients of Cybersecurity Incident
- U.S. Department of Health and Human Services Office for Civil Rights: Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
Overview
Lake Charles Memorial Health System, Louisiana, disclosed that the personal and medical data of nearly 270,000 patients were accessed in a ransomware attack. Read more: Hackers accessed data on 270,000 patients from Louisiana hospital system in attempted ransomware attack
