OCR settles landmark phishing case that affected 35,000 patients

On December 7, the Office for Civil Rights settled a phishing case affecting approximately 35,000 patients. 

What happened

The OCR announced a settlement with Lafourche Medical Group, a Louisiana-based group that specializes in occupational medicine, laboratory testing, and emergency medicine. 

The breach report was filed with the HHS in May of 2021, while the phishing attack was conducted in March of that year. According to the HHS, an unauthorized individual gained access to an email account that contained electronic protected health information (PHI), putting sensitive information of individuals at risk. 

The OCR investigated the incident and found that before the breach, Lafourche had failed to conduct a risk analysis to identify threats and vulnerabilities, a requirement for HIPAA-covered entities.  

What’s new

Due to Lafourche’s failure to comply with HIPAA requirements that may have prevented the event, they will face a hefty fine. 

Lafourche has agreed to pay $480,000 to the OCR and will follow a corrective action plan. The required steps include: 

• Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic PHI. 
• Developing, maintaining, and revising written policies and procedures to comply with HIPAA. 
• Provide security and HIPAA-compliance training to staff members who have access to PHI. 

As part of the agreement, the OCR will monitor Lafourche for 2 years to ensure they meet all requirements. 

What was said

In a statement, OCR Director Melanie Fontes Rainer said, “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information.” 

“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks,” she added. 

Related: HIPAA Compliant Email: The Definitive Guide

Why it matters

According to a recent newsletter from the HHS, phishing is considered one of the most common attack strategies. A report revealed that approximately 42% of ransomware attacks in Q2 2021 involved phishing. 

HIPAA requires regulated organizations to follow security training and provide frequent reminders regarding common phishing tactics. 

The HHS also recommends that regulated organizations prevent phishing attacks by utilizing anti-phishing technologies. Many of these involve email programs that can verify the sender is not a malicious actor. 

A white paper released by the HHS showed that phishing attacks are frequently used in the health sector as part of a larger cyberattack to infiltrate networks and access data. Now, artificial intelligence has made phishing attacks more effective. Through AI, phishing attempts can sound more authentic and persuasive. 

The HHS emphasizes that training for employees needs to include evolving challenges to combatting phishing. 

The big picture

The settlement shows that the OCR is taking cases of phishing seriously and is now holding organizations responsible if they could have prevented attacks. With how common phishing is, more organizations may be fined if they fail to provide security training and take preventative measures for their email platforms.