The U.S. Department of Health and Human Services Office for Civil Rights said Thursday it has settled with Lafourche Medical Group closing an investigation over a phishing attack that affected the electronic protected health information of approximately 34,862 individuals.

WHY IT MATTERS

A hacker gained access to an email account that contained ePHI owned by Lafourche Medical Group, a provider of emergency medicine, occupational medicine and laboratory testing in Louisiana on March 30, 2021.

OCR said its investigation revealed that before the reported breach, the provider failed to conduct a risk analysis required by HIPAA. The agency noted in its announcement that it also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard ePHI against cyberattacks.

As a result, the ambulatory provider agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years.

All healthcare organizations have a role in taking preventive steps to prevent phishing attacks, OCR Director Melanie Fontes Rainer said in a statement. 

While phishing attacks trick individuals into disclosing sensitive information via electronic communication by impersonating a trustworthy source, they have become ubiquitous. OCR said more than 89 million individuals have been affected by large, costly patient data breaches, according to this year's breach report filings by HIPAA-covered entities.

THE LARGER TREND

Cyberattacks breach patient data protection laws can also disrupt care, endangering patients as the attacks unfold. 

While OCR has investigated and fined healthcare organizations for Health Insurance Portability and Accountability Act Security Rule violations related to hardware theft and other types of data breaches in the past, HHS proposes further penalties against hospitals for cyberattacks.

The Centers for Medicare and Medicaid Services is working on and will propose new cybersecurity requirements, while OCR will begin adding new cybersecurity requirements to HIPAA in the spring of 2024, HHS said in the announcement about the new policy strategy this week.

"Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector," the agency said in the statement.

The American Hospital Association has said it will not support proposals for mandatory cybersecurity requirements on hospitals, pointing out that all organizations – including the government – are susceptible to these attacks, despite their best efforts.

"Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks," Rick Pollack, AHA’s president and CEO, told Healthcare IT News.

ON THE RECORD

"Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information," said OCR's Fontes Rainer in a statement.

"It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.