OCR settles first-ever phishing cyberattack investigation
Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities, and will pay $480K to OCR.
Photo: Andrew Brooks/Getty Images
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has reached a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of about 34,862 people.
Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information through electronic communication, such as email, by impersonating a trustworthy source.
OCR said it was the first settlement it has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act Rules. HIPAA is the federal law that protects the privacy and security of health information.
WHAT'S THE IMPACT?
On May 28, 2021, Lafourche Medical Group filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic protected health information. This potentially put sensitive information at risk, including medical diagnoses, frequency of visits to a therapist or other healthcare professionals, and where someone seeks medical treatment.
OCR's investigation revealed that, prior to the 2021 reported breach, Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA.
The agency also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.
As a result, Lafourche Medical Group agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored for two years.
Lafourche Medical Group said it would take a number of steps, such as establishing security measures to reduce risks and vulnerabilities to electronic protected health information, developing and maintaining written policies and procedures as necessary to comply with the HIPAA, and providing training to all staff members who have access to patients' protected health information on HIPAA policies and procedures.
THE LARGER TREND
Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health or physical safety of the individual or to others identified in the individual's protected health information, said HHS.
Healthcare providers, health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. Based on the large breaches reported to OCR this year, more than 89 million people have been affected by large breaches. In 2022, roughly 55 million people were affected.
Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com