The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information.
“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”
On May 28, 2021, Lafourche Medical Group filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic protected health information. When protected health information is compromised by a cyber-attack breach such as phishing, incredibly sensitive information about an individual’s medical records is at risk. The types of sensitive information can include medical diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.
Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s protected health information. Health care providers, health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. Based on the large breaches reported to OCR this year, over 89 million individuals have been affected by large breaches. In 2022, over 55 million individuals were affected.
OCR’s investigation revealed that, prior to the 2021 reported breach, Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA. OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.
As a result, Lafourche Medical Group agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years. Lafourche Medical Group will take the following steps to resolve and comply with:
- Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic protect health information in order to keep patients’ protected health information secure;
- Developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules; and
- Providing training to all staff members who have access to patients’ protected health information on HIPAA policies and procedures.
OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of protected health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can be found on OCR’s website. Additional cybersecurity resources may be found at:
- OCR’s newsletter on Defending Against Common Cyber-Attacks.
- Health Sector Cybersecurity Coordination Center White Paper on AI-Augmented Phishing and the Threat to the Health Sector.
- HHS 405d Health Industry Cybersecurity Practices on Email Phishing Attacks.
- Videos on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English and Spanish .
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html
The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.