United States: HHS' Office For Civil Rights Reaches Settlement Of First Phishing Cyberattack Under HIPAA

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has announced its first settlement of a HIPAA case involving a phishing cyberattack. In May 2021, Lafourche Medical Group, LLC, filed a HIPAA breach notification with OCR stating that a hacker had obtained electronic patient health information (ePHI) via a phishing cyberattack. OCR's press release states, "Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source." This cyberattack is the most common way hackers access healthcare systems to obtain patient information.

After investigating the breach, OCR determined that Lafourche failed to conduct a security rule risk analysis or implement procedures to review records of information system activity regularly. HIPAA requires that covered entities, including Lafourche, complete these activities.

The resolution agreement requires Lafourche to pay a $480,000 settlement payment and comply with a corrective action plan (CAP), which OCR will monitor for the next two years. The CAP mandates that Lafourche take the following actions to remain in compliance:

• Establish and implement a risk management plan;
• Conduct an annual risk assessment to identify risks and vulnerabilities to ePHI throughout the group;
• Create, implement, and disseminate policies and procedures, including:
  • A process to regularly review all records of information activity that the group collects; and
  • A method to evaluate when the collection of new or different information should be included in the review process;
• Report to HHS if a staff member fails to comply with group policies and procedures concerning privacy or security of PHI;
• Train staff members with access to PHI on privacy, security, and related policies and procedures;
• Maintain records of staff members' completion of training; and
• Review and update training annually based on law changes or issues arising during audits or reviews.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.