- The HHS’ Office for Civil Rights announced on Thursday it had reached a $480,000 settlement with a Louisiana-based medical group over a 2021 data breach, marking the first settlement the agency has resolved related to a phishing cyberattack.
- Lafourche Medical Group reported that a hacker had accessed an email account with protected health information in March 2021 via a phishing attack, which attempts to trick users into divulging sensitive data or downloading malware. About 34,862 individuals' health information may have been exposed.
- The OCR’s investigation found Lafourche failed to conduct a risk analysis to identify potential threats and vulnerabilities before the attack, and that the medical group didn’t have policies or procedures in place to regularly review its system activity.
Healthcare data breaches have risen over the past decade, exposing hundreds of millions of patients’ sensitive health and personal information. More than 89 million people have been affected by large breaches reported to the OCR this year, compared with 55 million in 2022, according to the agency.
The HHS has recently made moves to boost cybersecurity in the healthcare sector. Earlier this week, the department released a concept paper outlining its new strategy, which will include eventually proposing cybersecurity requirements for hospitals through Medicare and Medicaid and updating the HIPAA Security Rule.
It also announced its first settlement related to a healthcare ransomware attack earlier this fall. Ransomware, where criminals demand payment in return for restored access to critical data and systems, poses a growing threat to the sector, as the attacks can disrupt hospital operations and delay access to care.
But phishing is the most common way that hackers access healthcare systems, OCR Director Melanie Fontes Rainer said in a statement.
“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks,” she said.
In addition to the $480,000 payment to OCR, Lafourche will follow a corrective action plan that will be monitored by OCR for two years, according to the settlement.
The medical group will need to develop and implement security measures, establish and maintain written policies to comply with HIPAA rules and train staff members who have access to patient protected health information.