Patriot Group Home Page
‹ Back To Insights
HHS Settles 1st Enforcement Strike Over Phishing Cyber Attack

I wanted to provide summary of recent regulatory action of concern to the Healthcare Provider. This actual case can provide valuable guidance to the healthcare provider and assist their staff in creating policies and staff training to avoid these type of compliance issues.

If you have any compliance concerns, reach out to me at [email protected] for assistance.

Party Punished: Lafourche Medical Group

Location: Raceland, LA

Issue: Phishing Cyber-Attack

Summary: Lafourche Medical Group filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic protected health information. When protected health information is compromised by a cyber-attack breach such as phishing, incredibly sensitive information about an individual’s medical records is at risk. The types of sensitive information can include medical diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.

Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s protected health information. Health care providers, health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. Based on the large breaches reported to OCR this year, over 89 million individuals have been affected by large breaches. In 2022, over 55 million individuals were affected.

OCR’s investigation revealed that, prior to the 2021 reported breach, Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA. OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.

Patriot Group Go To Home Page
Go To Patriot Group Facebook PageGo To Patriot Group LinkedIn Page