Topics
Reimbursement
J&J backs down from its planned 340B rebate model
J&J backs down from its planned 340B rebate model
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Four health systems form Longitude Health 
Four health systems form Longitude Health 
Capital Finance
HIMSSCast: Is private equity the bad guy in healthcare?
HIMSSCast: Is private equity the bad guy in healthcare?
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Elevance stock slides on lower forecast
Elevance stock slides on lower forecast
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
U.S. healthcare system ranks last in equity, access
U.S. healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Johns Hopkins Health Plans announces multi-payer portal
Johns Hopkins Health Plans announces multi-payer portal
Workforce
Feds grant $100 million to grow healthcare workforce
Feds grant $100M to grow healthcare workforce
Operations
UMC Health System hit with IT outage linked to ransomware
UMC Health System hit with IT outage linked to ransomware
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Cleveland Clinic partnering with Cavaliers on new training center
Cleveland Clinic partnering with Cavs on new sports complex
Compliance & Legal
BCBS reaches $2.8 billion settlement agreement
BCBS reaches $2.8 billion settlement agreement
Policy and Legislation
HHS investing $75 million in rural healthcare infrastructure
HHS investing $75 million in rural healthcare infrastructure
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
ACO REACH changes more negative than positive, says participant
ACO REACH changes not positive, says participant
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Walmart announces closing of clinics and virtual care
Walmart is closing clinics and virtual care
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS Health mulls potential breakup in midst of strategic review
CVS Health mulls potential breakup
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Medicaid to cover traditional Tribal community healthcare 
Medicaid to cover traditional Tribal community healthcare 
Patient Engagement
Patients see narrow networks in ACA marketplace plans, KFF finds
KFF: Patients see narrow networks in ACA marketplace plans
Pharmacy
Blue Shield of California challenges PBM model to lower cost of Humira biosimilar
Insurer challenges PBM model to lower cost of Humira biosimilar
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Patients less likely to seek virtual behavioral care when paying out-of-pocket
Patients who pay cost-sharing less likely to seek virtual care
Mergers & Acquisitions
In M&A deals, seller size by revenue is significantly above historical norms
In M&A deals, seller size by revenue is above historical norms
View more
Dec 08, 2023 More on Patient Engagement

OCR settles first-ever phishing cyberattack investigation

Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities, and will pay $480K to OCR.

Jeff Lagasse, Editor

Photo: Andrew Brooks/Getty Images

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has reached a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of about 34,862 people.

Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information through electronic communication, such as email, by impersonating a trustworthy source.

OCR said it was the first settlement it has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act Rules. HIPAA is the federal law that protects the privacy and security of health information.

WHAT'S THE IMPACT?

On May 28, 2021, Lafourche Medical Group filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic protected health information. This potentially put sensitive information at risk, including medical diagnoses, frequency of visits to a therapist or other healthcare professionals, and where someone seeks medical treatment.

OCR's investigation revealed that, prior to the 2021 reported breach, Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA.

The agency also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.

As a result, Lafourche Medical Group agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored for two years.

Lafourche Medical Group said it would take a number of steps, such as establishing security measures to reduce risks and vulnerabilities to electronic protected health information, developing and maintaining written policies and procedures as necessary to comply with the HIPAA, and providing training to all staff members who have access to patients' protected health information on HIPAA policies and procedures.

THE LARGER TREND

Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health or physical safety of the individual or to others identified in the individual's protected health information, said HHS.

Healthcare providers, health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. Based on the large breaches reported to OCR this year, more than 89 million people have been affected by large breaches. In 2022, roughly 55 million people were affected.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.