Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), disclosed a resolution with Lafourche Medical Group, a Louisiana-based medical entity specializing in emergency medicine, occupational medicine, and laboratory testing. The agreement concludes an inquiry prompted by a phishing attack that impacted the electronic protected health information of
around 34,862 individuals. Phishing, a form of cybersecurity attack, involves deceiving individuals into revealing sensitive information through electronic means, like email, by posing as a trustworthy entity. This settlement represents the first instance in which OCR has addressed a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules, which safeguard the privacy and security of health information according to federal law.
Melanie Fontes Rainer, the OCR Director, emphasized that phishing is the primary method for hackers to infiltrate healthcare systems and steal crucial data and health information. Rainer stressed the critical need for constant vigilance within the healthcare industry to safeguard systems and sensitive medical records. This involves ongoing staff training and consistently monitoring and managing system risks to thwart potential attacks. Rainer highlighted the shared responsibility we all have in ensuring the safety of our healthcare system and taking proactive measures to prevent phishing incidents.
Certainly! On May 28, 2021, Lafourche Medical Group submitted a report to HHS disclosing a breach. They reported that a hacker, using a successful phishing attack on March 30, 2021, managed to access an email account containing electronic protected health information. When cyber-attacks like phishing compromise protected health information, it puts highly sensitive details from an individual’s medical records at risk. This includes information such as medical diagnoses, the frequency of visits to healthcare professionals like therapists, and the locations where an individual seeks medical treatment.
Phishing attacks can lead to identity theft, financial loss, discrimination, stigma, mental distress, and adverse impacts on an individual’s reputation, health, or physical safety, as well as that of others mentioned in their protected health information. Entities under HIPAA regulations, such as health care providers, health plans, and data clearinghouses, must submit breach reports to HHS. This year, based on reported major breaches, more than 89 million individuals have been impacted, while in 2022, the number was over 55 million.
OCR’s examination uncovered that, before the reported breach in 2021, Lafourche Medical Group neglected to perform a risk analysis to pinpoint potential threats or vulnerabilities to electronic protected health information throughout the organization, as mandated by HIPAA. Additionally, OCR found that Lafourche Medical Group lacked established policies or procedures for routinely scrutinizing information system activity to protect protected health information from cyberattacks.
Consequently, Lafourche Medical Group has committed to a $480,000 payment to OCR and adopting a corrective action plan, subject to OCR oversight for two years. The steps Lafourche Medical Group will undertake to address and adhere to are as follows:
- Putting in place and executing security measures to minimize risks and vulnerabilities in electronic health information, safeguarding patients’ protected health data.
- Crafted, upkeeping, and updated written policies and procedures to align with HIPAA Rules.
- Conduct training sessions for all staff members with access to patient’s protected health information on HIPAA policies and procedures.
You can locate the resolution agreement and corrective action plan at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html