OCR Imposes First HIPAA Penalty in a Phishing Attack Investigation
The HHS’ Office for Civil Rights (OCR) has agreed to settle a landmark cyber investigation and has imposed its first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) to resolve Security Rule violations related to a phishing attack. Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach to OCR on May 28, 2021, involving the protected health information (PHI) of up to 34,862 individuals.
According to the breach notification, a hacker gained access to the email account of one of its owners on March 30, 2021, following a response to a phishing email that spoofed one of the medical group’s owners. The threat actor gained access to the Microsoft 365 environment, which contained patient data. Lafourche Medical Group said that because of the size of the email system, it was not possible to determine all patient information that had been exposed so notification letters were mailed to all patients. The exposed data included names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.
OCR launched an investigation into the incident to determine whether a failure to comply with the HIPAA Rules led to or contributed to the security breach. OCR’s investigators discovered Lafourche Medical Group had not conducted a security risk analysis prior to the phishing attack. The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information. OCR also determined that Lafourche Medical Group had not implemented procedures to regularly review records of information system activity prior to the phishing attack. This is also a required implementation specification of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).
Lafourche Medical Group agreed to settle the investigation with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Lafourche Medical Group has agreed to implement a robust corrective action plan (CAP) which includes establishing and implementing security measures to reduce security risks and vulnerabilities to ePHI, developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules, and providing HIPAA training to all staff members who have access to PHI. OCR will also monitor Lafourche Medical Group for two years to ensure compliance with the HIPAA Rules.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”
This is the 12th HIPAA violation penalty imposed by OCR in 2023 and the second-largest of the year. So far this year, OCR has imposed HIPAA penalties totaling $4,016,500
