Feds Levy First-Ever HIPAA Fine for a Phishing BreachIncident That Affected 35,000 Urgent Care Clinic Patients Results in $480K Fine
Weeks after the Department of Health and Human Services announced its first HIPAA enforcement action in a ransomware breach, federal regulators have reached another milestone: a $480,000 settlement in a HIPAA case centered for the first time ever on a phishing attack.
HHS' Office for Civil Rights on Thursday said the settlement with Louisiana-based Lafourche Medical Group, an urgent care clinic, resolves the agency's investigation into an email phishing breach reported in 2021 that compromised the electronic protected health information of nearly 35,000 individuals.
"Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information," said OCR Director Melanie Fontes Rainer in a statement.
"It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks," she said. "We all have a role to play in keeping our healthcare system safe and taking preventive steps against phishing attacks."
HHS OCR's investigation into the Lafourche Medical Group incident found that prior to the 2021 breach, the clinic had failed to conduct an enterprisewide risk analysis to identify potential threats or vulnerabilities to ePHI as required under HIPAA.
OCR said it also found that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard PHI against cyberattacks.
The failure to conduct a thorough enterprisewide security risk analysis is among the most common potential violations HHS OCR has cited repeatedly in its enforcement actions over the years.
Besides paying the hefty fine, Lafourche Medical Center must implement a corrective action plan that includes developing, maintaining and revising a security risk management plan, as well as practices and policies that comply with the HIPAA privacy and security rules.
The entity must also distribute those policies and practices to its employees and provide all workforce members with HIPAA training.
HHS OCR will also monitor Lafourche Medical Group for two years. The clinic did not immediately respond to Information Security Media Group's request for comment on the settlement.
The enforcement action against Lafourche Medical Group comes after HHS OCR on Halloween announced its first-ever resolution agreement in a HIPAA breach case involving a ransomware attack.
Under that settlement, Massachusetts-based medical management firm Doctor Management Group agreed to pay a $100,000 financial penalty and undergo three years of HIPAA compliance monitoring following an investigation into a ransomware breach reported in 2019 as affecting nearly 206,700 individuals (see: Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach).
The settlement with Lafourche Medical Group is HHS OCR's 11th HIPAA enforcement action announced so far this year. The largest HIPAA penalty so far in 2023 was a $1.25 million settlement with Arizona-based Banner Health in February for a 2016 hacking incident that affected nearly 3 million people.
While HHS OCR has taken enforcement actions in a handful of hacking breach cases so far this year, overall, since 2019, the vast majority of the agency's enforcement attention has been on cases involving violations of the HIPAA right of access provision. There have been nearly 50 such cases to date in which HHS OCR has smacked entities with fines for failing to provide patients or their representatives with timely access to requested health records.