Phishing Attack Leads to $480,000 HIPAA Penalty

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled its first-ever investigation of a phishing attack. The investigation uncovered violations of the Health Insurance Portability and Accountability Act Security Rule, which Lafourche Medical Group settled for $480,000.

Phishing is one of the most common initial access vectors in cyberattacks on the healthcare industry. Phishing involves the use of social engineering techniques to trick individuals into disclosing sensitive information, usually login credentials. On March 30, 2021, one of the owners of Lafourche Medical Group received a phishing email that appeared to have been sent by another owner. When responding, login credentials were requested, which provided the attacker with access to Lafourche Medical Group’s Microsoft 365 environment, where patients’ protected health information (PHI) was stored.

Lafourche Medical Group investigated the breach but could not determine how many patients had their protected health information exposed because of the size of the email environment, so the decision was taken to send notification letters to all patients – 34,862 individuals. The email environment contained highly sensitive PHI such as names, dates of birth, Social Security numbers, diagnosis, and treatment information.

OCR launched an investigation to determine if Lafourche Medical Group had complied with the HIPAA Security Rule. Lafourche Medical Group was unable to demonstrate a risk analysis had been conducted before the security incident, and there were no policies or procedures in place for regularly reviewing logs of activity in its information systems to safeguard PHI against cyberattacks prior to the incident. These two HIPAA Security Rule violations were individually and collectively of sufficient severity to warrant a financial penalty.  Lafourche Medical Group opted to settle the investigation, paid a $480,000 penalty, and agreed to adopt a corrective action plan (CAP). The CAP includes the following requirements:

• Create, document, and implement security measures sufficient to reduce risks and vulnerabilities to ePHI, that were identified in its December 2022 Security Risk Assessment, to a reasonable and appropriate level.
• Conduct an accurate and thorough annual HIPAA risk assessment to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by LMG, including any affiliates that are owned, controlled, or managed by LMG, and document the security measures LMG implemented or is implementing to reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
• Develop written policies and procedures to address any threats and vulnerabilities to the ePHI identified in its risk analysis and risk management plan.
• Develop written policies and procedures to address information system activity reviews.
• Provide HIPAA training to all members of the workforce who have access to PHI or electronic PHI (ePHI).

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”