On July 15, DataBreaches reported that Baton Rouge General Medical Center in Louisiana had been the victim of a significant ransomware attack. Our report attributed the attack to Hive although Hive was publicly denying responsibility at the time and claiming DataBreaches had “incorrect info.”
Our information was correct. On Tuesday, Hive added the health center to their dedicated leak site, claiming that they encrypted Baton Rouge General on June 29. They dumped a lot of personal and protected health information to support their claims of having exfiltrated data.
The data are not from just the medical center, however, but appear to include files from the larger health system, which may be why on some date unknown to DataBreaches, but after July 15, Baton Rouge General Health System posted an incident notice on its website. It reads, in significant part:
Notice of Data Event
General Health System (“GHS”) recently discovered an incident that may have impacted the privacy of information related to certain individuals. While GHS is unaware of any actual or attempted misuse of information in relation to the incident, it is providing potentially affected individuals with information about the incident and steps individuals may take to help protect against the possible misuse of your information.
What Happened?
On June 28, 2022, GHS became aware of suspicious activity related to certain GHS computer systems. GHS immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity. Through the investigation, it was determined that there was unauthorized access to GHS’s network between June 24, 2022 to June 29, 2022. The unauthorized actor had the ability to access certain directories while on the network. Therefore, GHS is undertaking a comprehensive review of the contents of the directories determined to be at risk to assess what sensitive information was contained within them and to whom the information related. GHS’s review is ongoing and once completed GHS intends to mail notice letters to potentially affected individuals.
What Information Was Involved?
The contents of the potentially affected directories are being reviewed to determine what sensitive data was contained therein. Once the review is complete, GHS intends to send notice letters to affected individuals that detail the specific information related to them that could have been accessed.
The full notice can be found on their website. From their statement, notifications do not appear to have been made as yet. There is also no notice on HHS’s public breach tool nor on any of the state attorney general sites that post submitted breach notices.
DataBreaches asked Hive a number of questions, including whether yesterday’s dump was a 100% dump or only part of the data they had exfiltrated. Other questions included one about whether Hive still has access to the system, and whether they had contacted any patients or employees about the breach.
Hive’s only answer was, “They still didn’t pay HIVE.” To all other questions, they responded “No comment” at this point, but indicated they might share more information later.
DataBreaches will not be including any redacted screencaps at this point, but there was a lot of protected health information and sensitive information noted in skimming the leaked files, including mental health updates to courts, batched billing for named patients with named diagnostic tests from LabCorp, some employee health records, ACH records going back to 2009, and scanned pdfs of patient files with demographic and medical information, such as patient intake forms for pain management at Baton Rouge Rehab Hospital.
From a notification standpoint, Baton Rouge appears to have a total mess on their hands to address.