PHI of 31,000 Individuals Exposed Due to the Phishing Attack on Acadiana Computer Systems


Acadiana Computer Services Inc., which provides the healthcare industry in Lafayette, LA with software and business solutions, discovered that an unauthorized person accessed an employee’s email account. Upon detecting the security breach on July 6, 2018, Acadiana disabled external access to the email account and retained the services of an independent cybersecurity specialist to investigate the breach and figure out the details of the attack, its nature and extent .

Upon examination of the emails found in the compromised account, the personal data of a number of its clients’ patients were potentially exposed. The names, addresses, treatment details and medical billing information of some patients were exposed. For a limited number of persons, their Social Security numbers were also potentially accessed.

Acadiana Computer Services submitted its breach report to the Department of Health and Human Services’ Office for Civil Rights indicating there were 31,151 persons whose protected health information was exposed because of the email-related breach. The affected individuals received healthcare services from the healthcare providers listed below:

  • LSU Health Sciences Center Shreveport
  • LSU Healthcare Network
  • Oceans Acquisition, Inc.
  • Poly Ryon (Oakbend) Medical Group
  • Radiology and Interventional Associates of Metairie
  • Southern Surgical
  • South Louisiana Medical Associates
  • Truman Medical Centers
  • University of South Alabama
  • University Hospital and Clinics
  • Willis-Knighton Medical Center

Acadiana Computer Services sent breach notification letters to all affected individuals and gave extra advice on what they need to do to keep track of their personal data. As a safety measure, Acadiana Computer Services is paying for the expense of the affected patients’ identity monitoring services.

Acadiana Computer Services also took steps to minimize the risk of breaches that might occur in the future, including enhancing email account security, staff training, and reviewing and modifying its policies and procedures as needed.