On December 7, 2023, OCR released a statement that it was settling a phishing cyber-attack investigation into Lafourche Medical Group (the Medical Group) which specializes in emergency medicine, occupational medicine, and laboratory testing. The Medical Group, based in Louisiana, was the target of a phishing attack in March of 2021 which compromised the protected health information (PHI) of over 35,000 individuals. The settlement terms include payment to OCR of $480,000 and a corrective action plan that OCR will monitor for two years. This is the first settlement involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) rules.

The Medical Group self-disclosed the attack and the compromise of patient PHI in May 2021. According to OCR, its investigation revealed that the Medical Group “failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic [PHI] across the organization as required by HIPAA.” In addition, OCR “discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard [PHI] against cyberattacks.”

The corrective action plan, which is part of the settlement, includes the following terms:

• Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic PHI in order to keep patients’ PHI secure;
• Developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA rules; and
• Providing training to all staff members who have access to patients’ PHI on HIPAA policies and procedures.

A copy of OCR’s press release can be found here.