On December 7, 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced its first-ever settlement involving a phishing attack under the Health Insurance Portability and Accountability Act (“HIPAA”) Rules. The recent settlement is with Lafourche Medical Group (“LMG”). LMG is a medical group in Louisiana specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement with LMG resolves an investigation of a May 2021 phishing attack that affected the electronic protected health information (“ePHI”) of over 34,000 individuals.

Background

As stated in the Resolution Agreement, HHS received a breach notification report on May 28, 2021, filed by LMG as required by 45 C.F.R. § 164.408. The breach notification report indicated LMG learned that an unauthorized individual gained access to the email accounts of one of LMG’s owners through a phishing attack. In general, “phishing” is a method of cybersecurity fraud whereby the bad actor poses as a trustworthy or credible source to convince individuals to disclose sensitive or personal information via electronic means, such as email. LMG concluded that the email account contained patients’ protected health information (“PHI”), but was unable to identify the affected patients. As a result, LMG notified all of its patients, approximately 34,862, of the incident.

Investigation and Settlement

In January 2022, HHS notified LMG of its intent to investigate LMG’s compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Through its investigation, HHS alleged that, prior to the 2023 security incident, LMG never conducted a Security Rule risk analysis or implemented procedures to regularly review records of information system activity.

As part of this resolution agreement, LMG agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years. As part of the corrective action plan, LMG will:

• prepare, document, implement, and annually review a security management process to reduce risks to ePHI;
• develop, maintain, and revise, as necessary, written polies and procedures to comply with HIPAA;
• distribute the policies and procedures to all workforce members and obtain signatures from each member stating that the member has read, understood, and will abide by the polices; and
• provide training on HIPAA policies and procedures to all workforce members who have access to patients’ PHI.

Takeaways

This resolution agreement is the first resolution between OCR and a covered entity due to a phishing incident. The publication of this resolution agreement is consistent with OCR’s recent stated enforcement priorities, which includes emphasis on security matters. Covered entities can take proactive measures to mitigate the risk of noncompliance and subsequent OCR investigation by taking some of the steps outlined in the LMG corrective action plan, including ensuring a cohesive approach to conducting security risk analysis and developing comprehensive policies and procedures to comply with HIPAA and safeguard patient PHI. Further, this resolution agreement underscores the criticality of good data hygiene practices and strong workforce training. This settlement is notable, in part, because LMG was unable to limit the universe of affected individuals to a specific group of its patients. This reminds other covered entities to ensure they limit access, know what is stored where, and train their workforce to remain vigilant for the ever-increasing (and increasingly sophisticated) phishing attacks launched at healthcare providers and their staff.