HHS’s Office for Civil Rights settles first-ever investigation into phishing cyberattack

Louisiana Medical Group settles after investigation reveals major cybersecurity breach affecting nearly 35,000 patients

Today, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced an agreement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronically protected health information of approximately 34,862 individuals. Phishing is a type of cyber security attack used to trick individuals into revealing sensitive information through electronic communication, such as email, by posing as a trusted source. This marks the first settlement cleared by OCR involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) rules. HIPAA is the federal law that protects the privacy and security of health information.

“Phishing is the most common way hackers gain access to healthcare systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Reiner. “It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular staff training and consistent monitoring and management of systemic risk to prevent these attacks.” We all have a role to play in keeping our healthcare system safe and taking preventative steps against phishing attacks.”

On May 28, 2021, Lafourche Medical Group filed a breach report with HHS stating that a hacker through a successful phishing attack on March 30, 2021 gained access to an email account that contained electronically protected health information. When protected health information is compromised by a breach from a cyber attack, such as phishing, the incredibly sensitive information of an individual’s medical record is at risk. Types of sensitive information may include medical diagnoses, frequency of visits to a therapist or other healthcare professionals, and where an individual seeks medical treatment.

Phishing attacks can result in identity theft, financial loss, discrimination, stigma, emotional distress, adverse effects on the reputation, health or physical safety of the individual or others identified in the individual’s protected health information. Healthcare providers, health plans, and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. Based on the major breaches reported to OCR this year, over 89 million people were affected by major breaches. In 2022, over 55 million people were affected.

OCR’s investigation revealed that prior to the reported breach in 2021, Lafourche Medical Group failed to perform a risk analysis to identify potential threats or vulnerabilities to electronically protected health information across the organization, as required by HIPAA. OCR also found that Lafourche Medical Group did not have policies or procedures in place to regularly review information system activity to protect protected health information against cyberattacks.

As a result, Lafourche Medical Group agreed to pay $480,000 to OCR and implement a corrective action plan that will be monitored by OCR for two years. Lafourche Medical Group will take the following steps to resolve and comply with:

  • Establishing and implementing security measures to reduce security risks and vulnerabilities of electronic health information protection in order to keep patients’ health information protected;
  • Develop, maintain and revise written policies and procedures as necessary to comply with HIPAA regulations; and
  • Provide training to all staff members who have access to protected patient health information on HIPAA policies and procedures.

OCR is committed to enforcing HIPAA rules that protect the privacy and security of protected health information. Guidance on the Privacy Rule, Security Rule, and Breach Notification Rules can be found on the OCR website. Additional cybersecurity resources can be found at:

The restructuring agreement and corrective action plan can be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html

The HHS Breach Portal: Notification to the Secretary of HHS of a breach of unprotected protected health information can be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

If you believe that the privacy or civil rights of your or another’s health information has been violated, you may file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Leave a Comment

Your email address will not be published. Required fields are marked *