A breach at the Lake Charles Memorial Health System in Louisiana has some security researchers wondering why it took almost two months to notify affected patients.

According to a release on the hospital’s website, the breach dates back to October 21 of this year and involved the theft of patient data, including patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, and/or limited clinical information regarding care at the hospital. In some instances, the social security numbers of patients were also included.

But the release states that the hospital only began the process of mailing out letters informing patients of the breach on Dec. 23, more than two months later. The hospital did release a brief statement on Nov. 16 confirming the discovery of unauthorized activity on their network, but claimed the hospital's cybersecurity team "quickly identified and blocked the activity" and that "the incident did not impact any LCMH patient care or clinical operations." The release does not mention the theft or compromise of patient data, though hospital officials apparently notified law enforcement and pledged to partner with and "notify affected individuals in accordance with applicable laws and regulations."

SC Media has reached out to Lake Charles Memorial Hospital for comment and to ask if any efforts were made to notify affected patients sooner.

Cybersecurity experts say if the hospital did wait two months to inform affected patients, it's not clear what might have prevented them from earlier notification.

“What’s most concerning here is that they were aware of the data loss event in October and there was no notification for nearly two months,” said John Bambenek, principal threat hunter at Netenrich. “Companies losing PHI data is not a mere regulatory event. The true victims are their patients and employees who will face the real harm from data misuse.”

BleepingComputer reported that the Hive ransomware group listed the Lake Charles hospital on its data leak site on November 15, 2022, a step that often comes after failed negotiations over a ransom payment. The hackers reportedly claimed that the encryption took place on October 25, 2022, four days after the hospital reported the first detection of the network intrusion in its public statement.

For its part, the hospital said it plans to offer individuals whose social security number may have been compromised with complimentary credit monitoring and identity theft protection services. Patients are also being encouraged to review statements from their health insurer and healthcare providers, and to contact them immediately if they see any services they did not receive.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, underscored that stolen medical information is extremely sensitive for the victims and it’s important for the data collector and processor to ensure victims are notified without undue delay so they can actively monitor for any abuse of the data. Unfortunately, unlike a credit card, which can get changed and put back on track quickly following a compromise, certain medical records cannot be replaced or deleted once stolen or disclosed, Carson said.

“You can quickly resolve financial fraud, however, a stolen identity can take months, or even years, to resolve,” Carson said. “Since medical records are extremely sensitive and valuable for cybercriminals, they should be a top priority for healthcare institutions that hold PHI to protect them with best security practices such as strong encryption, privileged access security. and multi-factor authentication.”