First Ever Phishing Settlement Cost Medical Group $480k

Lafourche Medical Group will pay $480,000 to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) after a phishing attack that may have affected the electronic protected health information (ePHI) of more than 34,000 people. The settlement is the first ever involving a phishing attack under HIPAA. Lafourche is a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. As part of the phishing settlement, Lafourche will also:

• Establish and implement security measures to reduce risks and vulnerabilities ePHI
• Develop, maintain, and revise written policies and procedures as necessary to comply with the HIPAA Rules
• Provide training to all staff members who have access to ePHI on HIPAA policies and procedures

The Phishing Attack

On May 28, 2021, Lafourche filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained ePHI. Lafourche was unable to identify the specific patients affected, so it notified all of its more than 34,000 patients of the incident.

OCR’s investigation revealed that, before the 2021 reported breach, Lafourche failed to conduct a risk analysis to identify potential threats or vulnerabilities to ePHI across the organization as required by HIPAA. OCR also discovered that Lafourche had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.

A Troubling Trend

According to OCR data, phishing and other cyber-attack methods are impacting the healthcare industry at a growing rate. Based on the large breaches reported to OCR in 2023, over 89 million individuals have been affected by large breaches. In 2022, over 55 million individuals were affected.

The OCR continues to stress the importance of organizations performing enterprise-wide risk assessments to identify and address potential risks to the protection of ePHI. Risk assessments must include evaluating your controls against commonly expected threats such as phishing.   

CompliancePoint has the experience and expertise to help your organization design and implement policies and procedures that will ensure HIPAA compliance. We also offer a suite of cybersecurity services that will help you better defend against and respond to a cyber incident. Contact us at connect@compliancepoint.com to learn more.