Getty Images/Tetra images RF

HHS Settles First Phishing Attack Investigation With Louisiana Medical Group

Lafourche Medical Group agreed to pay $480K to HHS and implement a corrective action plan following a phishing attack that impacted nearly 35,000 individuals.

HHS reached its first-ever phishing attack settlement with Lafourche Medical Group, a Louisiana-based medical group that specializes in emergency medicine, lab testing, and occupational medicine. Lafourche agreed to pay $480,000 to the Office for Civil Rights (OCR) and implement a corrective action plan to resolve the investigation.

Lafourche Medical Group suffered a phishing attack in March 2021 that impacted the protected health information (PHI) of nearly 35,000 individuals. OCR subsequently launched an investigation into the incident and found that Lafourche had failed to conduct a risk analysis to identify potential vulnerabilities prior to the incident, as required by HIPAA.

OCR also found that Lafourche had not implemented any policies or procedures to regularly review information system activity to safeguard health data against cyberattacks.

“Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s protected health information,” OCR stated.

In addition to the monetary settlement, Lafourche agreed to take steps to improve its security posture to prevent future phishing attacks. The medical group must establish security measures to address security risks and vulnerabilities, develop policies to comply with HIPAA, and provide training to all staff who access PHI. OCR will monitor Lafourche for two years to ensure compliance with the corrective action plan.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer.

“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

Next Steps

Dig Deeper on HIPAA compliance and regulation