Louisiana Medical Group to Pay $480K Over Phishing Attack *Centurion Insurance AFS*

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), last month announced that Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing, agreed to a settlement over a 2021 phishing attack.

The settlement resolves an investigation following a phishing incident that affected the electronic protected health information of approximately 34,862 individuals This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information.

Lafourche Medical Group agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years.

On May 28, 2021, Lafourche Medical Group filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic protected health information. When protected health information is compromised by a cyber-attack breach such as phishing, incredibly sensitive information about an individual’s medical records is at risk. The types of sensitive information can include medical diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.

OCR’s investigation revealed that, prior to the 2021 reported breach, Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA. OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.

Lafourche Medical Group will take the following steps to resolve and comply with:

• Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic protect health information in order to keep patients’ protected health information secure;
• Developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules; and
• Providing training to all staff members who have access to patients’ protected health information on HIPAA policies and procedures.

Source: HHS

Topics
Cyber
Louisiana