Skip to main content
close search
site logo
Dive Brief

HHS settles first phishing cyberattack investigation with Louisiana medical group

The HHS found Lafourche Medical Group failed to conduct a risk analysis or regularly review its information system activity. The 2021 breach may have exposed the data of nearly 35,000 patients.

Published Dec. 11, 2023
Emily Olsen's headshot
Reporter
Laptop, stethoscope and doctor writing in notebook for research planning or medical tech innovation in hospital office.
PeopleImages via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The HHS’ Office for Civil Rights announced on Thursday it had reached a $480,000 settlement with a Louisiana-based medical group over a 2021 data breach, marking the first settlement the agency has resolved related to a phishing cyberattack.
  • Lafourche Medical Group reported that a hacker had accessed an email account with protected health information in March 2021 via a phishing attack, which attempts to trick users into divulging sensitive data or downloading malware. About 34,862 individuals' health information may have been exposed. 
  • The OCR’s investigation found Lafourche failed to conduct a risk analysis to identify potential threats and vulnerabilities before the attack, and that the medical group didn’t have policies or procedures in place to regularly review its system activity. 

Dive Insight:

Healthcare data breaches have risen over the past decade, exposing hundreds of millions of patients’ sensitive health and personal information. More than 89 million people have been affected by large breaches reported to the OCR this year, compared with 55 million in 2022, according to the agency.

The HHS has recently made moves to boost cybersecurity in the healthcare sector. Earlier this week, the department released a concept paper outlining its new strategy, which will include eventually proposing cybersecurity requirements for hospitals through Medicare and Medicaid and updating the HIPAA Security Rule.

It also announced its first settlement related to a healthcare ransomware attack earlier this fall. Ransomware, where criminals demand payment in return for restored access to critical data and systems, poses a growing threat to the sector, as the attacks can disrupt hospital operations and delay access to care. 

But phishing is the most common way that hackers access healthcare systems, OCR Director Melanie Fontes Rainer said in a statement. 

“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks,” she said. 

In addition to the $480,000 payment to OCR, Lafourche will follow a corrective action plan that will be monitored by OCR for two years, according to the settlement. 

The medical group will need to develop and implement security measures, establish and maintain written policies to comply with HIPAA rules and train staff members who have access to patient protected health information. 

Recommended Reading

Filed Under: Health IT, Government

Editors' picks

Company Announcements

View all | Post a press release
Wiley to Expand Reach and Impact of Medical Education Programs to More Than 2.8 million Health…
From Wiley
July 31, 2024
Jo Abernathy Joins Catalyst Solutions as Advisory Board Member
From Catalyst Solutions
July 31, 2024
HearUSA Ranked a Top Hearing Care Retailer in Newsweek’s America's Best Retailers 2024
From HearUSA
July 30, 2024
Healthworx partners with Highmark Inc, LifeBridge Health for new accelerator program
From Healthworx
July 30, 2024
Editors' picks
Latest in Health IT
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell