Louisiana Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Louisiana occupies a unique position in the American cybersecurity landscape. The state's economy is dominated by petrochemical refining, maritime logistics, and healthcare — three sectors that handle vast amounts of sensitive data and rely on industrial control systems that were often designed without modern security in mind. The Port of South Louisiana is the largest tonnage port in the Western Hemisphere, the 'Cancer Alley' petrochemical corridor between Baton Rouge and New Orleans contains one of the densest concentrations of chemical plants in the world, and Ochsner Health operates one of the Gulf South's most extensive hospital networks.

Louisiana made national headlines in 2019 when the governor declared a statewide cybersecurity emergency — only the second time any U.S. governor had invoked such a declaration. That event marked a turning point in how Louisiana addresses cyber threats, but it was far from the last significant incident. The timeline below documents the attacks that have shaped Louisiana's cyber threat landscape and the lessons that remain relevant for businesses operating in the state today.

Major Cyber Incidents in Louisiana: A Timeline

2019 — Governor's Cybersecurity Emergency Declaration (School District Ransomware)

In July 2019, Governor John Bel Edwards declared a statewide cybersecurity emergency after ransomware attacks struck the school districts of Sabine, Morehouse, and Ouachita parishes. This was only the second time a U.S. governor had invoked emergency powers in response to a cyberattack (following Colorado in 2018). The declaration activated the Louisiana National Guard's cyber unit and the state's Cybersecurity Commission to assist with response and recovery. The attacks encrypted school IT systems including student records, communications platforms, and administrative databases, disrupting operations weeks before the school year began.

2019 — Louisiana State Government Ransomware Attack

In November 2019, just months after the school district attacks, ransomware hit the Louisiana state government's Office of Technology Services, affecting multiple state agencies. The attack disrupted operations at the Office of Motor Vehicles, the Department of Health, the Department of Revenue, and other agencies. Governor Edwards activated emergency protocols again, and the state brought in federal cybersecurity resources to assist. State IT teams took servers offline proactively to contain the spread, which caused service disruptions lasting several days. The state confirmed it did not pay the ransom.

2020 — City of New Orleans Ransomware Attack

On December 13, 2019, extending into early 2020, the City of New Orleans was hit by a ransomware attack that forced the city to shut down its computer network. Mayor LaToya Cantrell declared a state of emergency. The attack disrupted city services including police department communications, permitting systems, and municipal courts. The city spent approximately $7.2 million on recovery, with cyber insurance covering a portion of the costs. The attack was attributed to the Ryuk ransomware group, one of the most prolific ransomware operations active at the time.

2022 — Louisiana Office of Motor Vehicles / MOVEit Breach

The Louisiana Office of Motor Vehicles (OMV) was affected by the massive MOVEit Transfer vulnerability exploitation in 2022-2023, which was attributed to the Clop ransomware group. The breach exposed the personal information of Louisiana residents who held driver's licenses or state ID cards, including names, addresses, Social Security numbers, and driver's license numbers. Governor Jeff Landry's office disclosed that the breach potentially affected millions of Louisiana residents. The incident highlighted the pervasive risk of third-party software vulnerabilities in government operations.

2023 — Ochsner Health Phishing Breach

Ochsner Health, Louisiana's largest nonprofit health system, reported a breach in 2023 involving a third-party vendor that improperly shared patient data with analytical platforms. While not a traditional hacking incident, the exposure affected patient information including medical record numbers, appointment details, and in some cases insurance information. Separately, Ochsner experienced phishing attacks targeting employee email accounts. The incidents prompted the health system to implement additional vendor oversight controls and enhanced email security measures.

2023 — BRPH Consulting (Baton Rouge) Data Exposure

BRPH, an architecture and engineering consulting firm with Baton Rouge operations, disclosed a data breach affecting employee and client information. The breach exposed personal information including Social Security numbers and financial records. The incident illustrated that professional services firms, which often hold sensitive client data across multiple projects, are increasingly targeted by cybercriminals seeking high-value data sets.

2024 — Franciscan Missionaries of Our Lady Health System Breach

The Franciscan Missionaries of Our Lady Health System (FMOLHS), which operates Our Lady of the Lake Regional Medical Center and other Louisiana facilities, disclosed a data breach in 2024 affecting patient records. The breach involved unauthorized access to systems containing names, dates of birth, medical record numbers, and insurance information. The incident added to Louisiana healthcare's growing breach record and reinforced the urgent need for healthcare-specific cybersecurity investments.

Louisiana's Data Breach Notification Law

Louisiana's Database Security Breach Notification Law, codified in Louisiana Revised Statutes Title 51, Section 3071 et seq., is one of the more prescriptive breach notification statutes in the southeastern United States. The law requires any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information to notify affected individuals within 60 days of discovery of a breach. Notification must be made in writing and must include the nature of the breach, the type of personal information compromised, and the contact information for the entity providing notice.

If the breach affects more than 1,000 Louisiana residents, the business must also notify the Louisiana Attorney General and all consumer reporting agencies. Penalties for noncompliance can include civil fines of up to $5,000 per violation per day. For detailed compliance guidance, see our guide to Louisiana cybersecurity compliance requirements.

Which Louisiana Industries Are Most Targeted?

Energy and Petrochemical

Louisiana's petrochemical corridor, stretching from Baton Rouge to New Orleans, contains over 150 industrial facilities including refineries, chemical plants, and LNG terminals. These operations depend on industrial control systems and SCADA networks that are frequently targeted by nation-state actors and ransomware groups. The convergence of IT and OT in modern plant operations creates attack surfaces that manufacturing and industrial IT services must specifically address.

Maritime and Port Operations

The Port of South Louisiana handles more tonnage than any other port in the Western Hemisphere, and the Port of New Orleans is a critical hub for container shipping and cruise operations. Maritime operations rely on interconnected systems for logistics, cargo tracking, and navigation that are vulnerable to cyberattacks. A disruption to port systems could cascade through national supply chains.

Healthcare

Louisiana's healthcare sector, led by Ochsner Health and FMOLHS, manages sensitive patient data across urban and rural facilities. Healthcare organizations in Louisiana should implement healthcare-specific IT security that addresses electronic health records, connected medical devices, and the unique operational demands of clinical environments.

State and Local Government

As the 2019 emergency declarations demonstrated, Louisiana government entities — from school districts to state agencies — face persistent ransomware threats. Many local government systems operate with limited budgets and aging infrastructure that is difficult to secure.

What Louisiana Businesses Must Do After a Breach

If your Louisiana organization experiences a data breach, the following steps are required or strongly recommended under state law:

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve evidence for forensic analysis

• Conduct a thorough investigation — determine what data was accessed, the point of entry, and whether the intrusion is ongoing

• Notify affected individuals within 60 days of discovering the breach, with written notice describing the incident and the types of information compromised

• Notify the Louisiana Attorney General if the breach affects more than 1,000 Louisiana residents

• Notify consumer reporting agencies if the breach affects more than 1,000 individuals at one time

• Document all response actions including the timeline, notification efforts, and remediation steps taken

• Engage legal counsel familiar with Louisiana data breach law and any applicable federal regulations

How to Protect Your Louisiana Business Before an Incident

Louisiana's concentrated exposure to cyber risk through its energy, maritime, and healthcare sectors demands proactive security investment. The state's history of high-profile incidents — including two emergency declarations in a single year — should serve as a clear warning.

• Implement multi-factor authentication across all remote access, email, and privileged accounts

• Segment networks between IT and OT environments — this is critical for petrochemical plants and port operations where a ransomware infection could affect physical processes

• Maintain offline backups tested regularly for restoration — the state government and City of New Orleans were able to recover without paying ransoms in part because of backup availability

• Conduct regular vulnerability assessments including assessments of industrial control systems and SCADA networks

• Train employees on phishing recognition with regular simulated campaigns

• Establish and test incident response plans at least annually with tabletop exercises

Louisiana businesses that lack in-house security expertise should consider partnering with managed IT services and managed security services providers for continuous monitoring and rapid incident response.

Frequently Asked Questions

Has Louisiana ever declared a cybersecurity emergency?

Yes. Louisiana Governor John Bel Edwards declared statewide cybersecurity emergencies twice in 2019 — first in July after ransomware attacks struck three school districts, and again in November when ransomware hit the state government's Office of Technology Services. Louisiana was the second U.S. state to invoke emergency powers in response to a cyberattack, following Colorado in 2018.

How quickly must a Louisiana business report a data breach?

Under Louisiana Revised Statutes Title 51, Section 3074, businesses must notify affected individuals within 60 days of discovering a breach. If the breach affects more than 1,000 Louisiana residents, the business must also notify the Attorney General and consumer reporting agencies within the same timeframe.

What are the penalties for failing to report a breach in Louisiana?

Louisiana imposes civil penalties of up to $5,000 per violation per day for businesses that fail to comply with the breach notification requirements. The Attorney General has enforcement authority and can pursue additional remedies including injunctive relief. Given the potential for compounding daily penalties, delayed notification can become extremely costly.

Was the MOVEit breach the largest data exposure affecting Louisiana residents?

In terms of the number of individuals potentially affected, the MOVEit breach is likely the largest single data exposure impacting Louisiana residents, as it potentially compromised the personal information of millions of people who held Louisiana driver's licenses or state IDs. However, the full scope was difficult to quantify because the vulnerability affected organizations worldwide.

Which Louisiana industries are most vulnerable to cyberattacks?

Healthcare and government entities account for the most publicly reported breaches in Louisiana, driven by mandatory reporting requirements. However, the petrochemical and maritime sectors face significant but often less publicly visible threats, particularly from nation-state actors targeting industrial control systems. Reviewing the Louisiana cyber threat landscape provides additional context on industry-specific risks.

Does Louisiana have a state cybersecurity agency?

Louisiana's Office of Technology Services (OTS), part of the Division of Administration, is the primary state agency responsible for cybersecurity. OTS manages the state's IT infrastructure and cybersecurity operations. Louisiana also established the Louisiana Cybersecurity Commission, which brings together representatives from government, academia, and the private sector to advise on cybersecurity policy and workforce development.