OCR settles phishing assault investigation, with supplier paying $480,000

Photo of author

By Calvin S. Nelson

The U.S. Division of Well being and Human Providers Workplace for Civil Rights stated Thursday it has settled with Lafourche Medical Group closing an investigation over a phishing assault that affected the digital protected well being data of roughly 34,862 people.


A hacker gained entry to an e-mail account that contained ePHI owned by Lafourche Medical Group, a supplier of emergency medication, occupational medication and laboratory testing in Louisiana on March 30, 2021.

OCR stated its investigation revealed that earlier than the reported breach, the supplier didn’t conduct a threat evaluation required by HIPAA. The company famous in its announcement that it additionally found that Lafourche Medical Group had no insurance policies or procedures in place to commonly assessment data system exercise to safeguard ePHI in opposition to cyberattacks.

In consequence, the ambulatory supplier agreed to pay $480,000 to OCR and to implement a corrective motion plan that shall be monitored by OCR for 2 years.

All healthcare organizations have a job in taking preventive steps to stop phishing assaults, OCR Director Melanie Fontes Rainer stated in a press release. 

Whereas phishing assaults trick people into disclosing delicate data by way of digital communication by impersonating a reliable supply, they’ve grow to be ubiquitous. OCR stated greater than 89 million people have been affected by giant, pricey affected person information breaches, in accordance with this 12 months’s breach report filings by HIPAA-covered entities.


Cyberattacks breach affected person information safety legal guidelines may also disrupt care, endangering sufferers because the assaults unfold. 

Whereas OCR has investigated and fined healthcare organizations for Well being Insurance coverage Portability and Accountability Act Safety Rule violations associated to {hardware} theft and different varieties of information breaches previously, HHS proposes additional penalties in opposition to hospitals for cyberattacks.

The Facilities for Medicare and Medicaid Providers is engaged on and can suggest new cybersecurity necessities, whereas OCR will start including new cybersecurity necessities to HIPAA within the spring of 2024, HHS stated within the announcement concerning the new coverage technique this week.

“Funding and voluntary targets alone won’t drive the cyber-related behavioral change wanted throughout the healthcare sector,” the company stated within the assertion.

The American Hospital Affiliation has stated it won’t help proposals for necessary cybersecurity necessities on hospitals, declaring that every one organizations – together with the federal government – are inclined to those assaults, regardless of their greatest efforts.

“Imposing fines or slicing Medicare funds would diminish hospital assets wanted to fight cybercrime and could be counterproductive to our shared purpose of stopping cyberattacks,” Rick Pollack, AHA’s president and CEO, instructed Healthcare IT Information.


“Phishing is the commonest approach that hackers acquire entry to healthcare methods to steal delicate information and well being data,” stated OCR’s Fontes Rainer in a press release.

“It’s crucial that the healthcare trade be vigilant in defending its methods and delicate medical data, which incorporates common coaching of employees and persistently monitoring and managing system threat to stop these assaults.”

Andrea Fox is senior editor of Healthcare IT Information.
Electronic mail: afox@himss.org

Healthcare IT Information is a HIMSS Media publication.

Leave a Comment