OCR settles phishing attack investigation, with provider paying $480,000

The U.S. Department of Health and Human Services Office for Civil Rights said Thursday it has reached a settlement with the Lafourche Medical Group, which completed an investigation into a phishing attack that affected the electronic protected health information of approximately 34,862 individuals.


A hacker gained access to an email account on March 30, 2021, containing ePHI for Lafourche Medical Group, a provider of emergency medicine, occupational medicine and laboratory testing in Louisiana.

OCR said its investigation revealed that the provider did not conduct a HIPAA-required risk assessment prior to the reported breach. The agency noted in its announcement that it also found that Lafourche Medical Group did not have policies or procedures in place to regularly review information systems operations to protect ePHI from cyberattacks.

As a result, the outpatient provider agreed to pay $480,000 to OCR and implement a corrective action plan that will be monitored by OCR for two years.

All healthcare organizations have a role in taking preventative measures to prevent phishing attacks, OCR Director Melanie Fontes Rainer said in a statement.

As phishing attacks trick individuals into disclosing sensitive information via electronic communications by masquerading as a trusted source, they have become ubiquitous. OCR said more than 89 million people have been affected by major, costly breaches of patient data, according to this year's breach reports by HIPAA covered entities.


Cyberattacks that violate patient data protection laws can also disrupt healthcare, putting patients at risk as the attacks evolve.

While OCR has historically investigated and fined healthcare organizations for violations of the Health Insurance Portability and Accountability Act Security Rule related to hardware theft and other types of data breaches, HHS is proposing further penalties for hospitals for cyberattacks.

The Centers for Medicare and Medicaid Services is working on and will propose new cybersecurity requirements, while OCR will add new cybersecurity requirements to HIPAA in spring 2024, HHS said this week in its announcement about the new policy strategy.

“Funding and voluntary targets alone will not drive the cyber-related behavior change needed in the healthcare sector,” the agency said in the statement.

The American Hospital Association has said it will not support proposals for mandatory cybersecurity requirements for hospitals, pointing out that all organizations – including government – ​​are susceptible to these attacks despite their best efforts.

“Imposing fines or reducing Medicare payments would reduce hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks,” said Rick Pollack, AHA president and CEO. Healthcare IT news.


“Phishing is the most common way hackers gain access to healthcare systems to steal sensitive data and health information,” OCR's Fontes Rainer said in a statement.

“It is imperative that the healthcare industry is vigilant in protecting its systems and sensitive health records, including regular staff training and consistently monitoring and managing systemic risk to prevent these attacks.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.