On December 7, 2023, Louisiana-based Lafourche Medical Group settled with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after an investigation uncovered a large phishing cybersecurity breach that impacted nearly 35,000 patients.
Phishing cybersecurity attacks involve tricking individuals into disclosing private information through electronic means, such as by responding to an email. In May 2021, Lafourche Medical Group filed a breach report with HHS and explained that a hacker used a phishing attack to gain access to an email account containing electronic protected health information (ePHI). Approximately 34,862 patients’ ePHI was affected.
The OCR’s investigation uncovered that, before the phishing attack occurred, Lafourche Medical Group “failed to conduct a risk analysis to identify potential threats or vulnerabilities” affecting their ePHI as required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule . Lafourche Medical Group also did not have policies or procedures in place to “regularly review information system activity” and safeguard against cybersecurity attacks.
Lafourche Medical Group agreed to pay $480,000 to OCR and implement a corrective action plan that OCR will monitor for two years. The settlement is the first time the OCR resolved a phishing attack under HIPAA.