Louisiana

Data breaches are the unlawful compromise of the security or integrity of personal or sensitive information. Unauthorized parties utilize the obtained information for their personal or financial interests. Breaches can also take different forms, such as malware, identity theft, ransomware, or email hacking. In Louisiana, these cases are prevalent, and the state ranked 27th in terms of the number of victims from these attacks. In 2023, the state also incurred $76,222,392 in damages. That figure places it at 16th in the nation, meaning the value of losses experienced per individual is relatively high. Cybercriminals tend to target healthcare and government institutions in Louisiana.

Identity Theft Statistics

Identity Theft
Reports
6TH
State Rank (Reports per 100K Population)
10,582
Identity Theft Reports
Fraud & Other
Reports
36TH
State Rank (Reports per 100K Population)
24,884
Total Fraud & Other Reports
Fraud
Losses
$11.2M
Total Fraud Losses
$300
Median Fraud Losses

Top Ten Report Categories

Identity Theft
30%
Imposter Scams
15%
Credit Bureaus, Iformation Furnishers and Report Users
9%
Telephone and Mobile Services
5%
Debt Collection
5%
Banks and Lenders
4%
Online Shopping and Negative Reviews
4%
Prizes, Sweepstakes and Lotteries
4%
Auto Related
3%
Internet Services
1%

Top Identity Theft Types

33%
10,708
Credit Card Fraud
30%
9,713
Other Identity Theft
22%
7,050
Loan or Lease Fraud
6%
1,892
Phone or Utilities Fraud
4%
1,191
Bank Fraud
3%
1,030
Employment or Tax-Related Fraud
2%
615
Government Documents or Benefits Fraud

Louisiana's Recent Biggest Data Breaches

2023
May

Louisiana Office of Motor Vehicle (“OMV”)

The Office of Motor Vehicles indicated a data security incident involving the personal information of those who applied for or were issued a driver's license, identification card, or vehicle registration. In May 2023, Progress Software Corporation, which supports MOVEit, notified the OMV in Louisiana concerning a breach where an unauthorized party acquired several details on individual clientele. The information varied depending on the person but included birth dates, Social Security numbers, learner's permits, height, eye color, vehicle registration details, and driver's licenses. The Lousiana OMV also moved to notify all affected individuals, numbering over six million, by email. It also set up a dedicated-toll call center to answer any questions people may have had. It also provides one year of complimentary identity theft protection to all who were affected.

2022
November

Department of Public Safety and Corrections Network Server Breach

In November 2022, the Department of Public Safety and Corrections revealed that a third-party health administrator experienced a data breach entailing the personal health data of incarcerated persons. Two file directories on a server operated by a third party were breached. It affected 80,000 DOC and pretrial inmates. The Department indicated that upon discovering the exposure, the third party, Correct Care, took steps to implement care and secure the server. They are also working together to implement better information safeguards.

2022
October

Southwest Louisiana Health Care System

In October 2022, the Southwest Louisiana Healthcare System, or LCMHS, determined an unauthorized party accessed its network. The organization immediately took mitigating steps and launched an investigation. Though the Healthcare institution did not reveal the nature of the attack, the Hive ransomware group claimed they were responsible. The investigation revealed that the cybercriminals accessed names, addresses, identification numbers, payment information, birth dates, and clinical data. In December 2022, notification letters were issued to the affected people, and complimentary credit monitoring and identity theft protection services were provided to those affected.

2022
June

General Health System Network Server Breach

General Health System became aware of suspicious activities in June 2022. They decided to launch an investigation by contracting third-party specialists to determine the scope of the incident. It was found that unauthorized actors could access directories while they were on the network. Some of the information involved in the breach included names, birth dates, Social Security numbers, biometric information, medical treatments, financial account data, and medical records. That said, there was no clear evidence that the perpetrators of the breach attempted to use this information negatively. It affected 46,149 individuals. GHS also mailed letters to all potentially affected during the incident, provided it had their mailing address.

2022
February

Louisiana Public Facilities Authority (LPFA)

In February 2022, the Louisiana Public Facilities Authority became a target of a ransomware attack. The institution took immediate steps to stop the attack and investigate the source of the breach. It found that information was accessed, including names, addresses, financial data, email passwords, wage information, and employee personal information. The LPFA also reported this attack to the state and federal entities and collaborated with them to investigate the attack. They also issued notifications to all who were affected.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

State laws indicate the requirements for when businesses respond to data breaches and how they should do so. A data breach needs to be reported immediately, making its existence clear to all who have been affected within the state, and it should be done within 60 days of the discovery. Notices are to be given in written or electronic form. Notification is required unless the business or individual finds no reasonable potential of harm to residents after an investigation. That said, the business must keep a copy of the written determination and other documentation for five years.

When a notice to Louisiana residents is required according to the law, the business must also provide written notice concerning the security breach to the Consumer Protection sector of the attorney general in the state.

Any individual or business that maintains data, including personal information not owned, has to notify the owner or the licensee of that information if the data is believed to have been obtained by an unauthorized individual. Substitute notices are also available in Louisiana under specific circumstances. Substitute notices may only be given if the company presiding over the information proves that informing the affected people of a breach using standard notices costs more than $100,000 or that the number of affected is more than 100,000. Under those circumstances, the businesses can put up a conspicuous posting on the entity's website or send email notifications should they have the addresses of those affected. Businesses may also opt to notify statewide media as an alternative to other substitute methods.

Laws

  • Louisiana Database Security Breach Notification Law

    This law protects personal information and requires businesses to meet security procedures for data in the state. It also establishes notification requirements for businesses that experience a data breach. Personal information within the law is defined as the following:

    • Names
    • Social Security numbers
    • State identification card numbers
    • Passport numbers
    • Biometric data
    • Email and passwords
  • Louisiana Act no 382

    This law was enacted to protect personal information relative to the database security breach notification statute. The law also included the consideration of biometric data and required notices to be sent to residents of Louisiana within two months of discovering the breach.

Resources