HHS’ Office for Civil Rights (OCR) announced the first-ever HIPAA investigation settlement over a phishing cyber attack. Lafourche Medical Group (LMG or Lafourche) of Louisiana agreed to pay $480,000 and enter a supervised two-year corrective action plan. LMG specializes in emergency medicine, occupational medicine, and laboratory testing.
Why would regulators go after a healthcare provider who was a victim of cybercrime? In this case, Lafourche failed to conduct a HIPAA risk analysis to identify potential threats or vulnerabilities to electronic protected health information (PHI) across the organization. OCR also discovered that Lafourche did not have policies or procedures to review information system activity to safeguard PHI against cyberattacks.
In its press announcement, OCR explained that Lafourche filed a breach report with HHS on May 28, 2021, stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic PHI. Approximately 34,862 individuals’ PHI were compromised. When PHI is compromised, sensitive information about an individual’s medical records is at risk. The types of sensitive information can include medical diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.
“Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s protected health information.”
HIPAA requires that covered entities be proactive and do all they can to protect patient data. Being a victim of a phishing attack is not a defense in HIPAA enforcement.
In addition to the settlement payment and the corrective action plan, Lafourche agreed to:
- Establish and implement security measures to reduce security risks and vulnerabilities to electronic PHI to keep patients’ PHI secure;
- Develop, maintain, and revise written policies and procedures as necessary to comply with the HIPAA Rules; and
- Provide training on HIPAA policies and procedures to all staff members with access to patients’ PHI.
HIPAA Compliance is the Best Defense Against Cybercrime
HIPAA compliance is not difficult or expensive. Regulated entities need policies, workforce training, and an annual risk analysis. Everything you need is in The HIPAA E-Tool®, the common sense, affordable solution.