HHS Office for Civil Rights Settles First Ever Phishing CyberAttack Investigation HHSgov
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppLouisiana Medical Group settles after investigation reveals large cybersecurity breach affecting nearly 35000 patientsppToday the US Department of Health and Human Services HHS Office for Civil Rights OCR announced a settlement with Lafourche Medical Group a Louisiana medical group specializing in emergency medicine occupational medicine and laboratory testing The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34862 individuals Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication such as email by impersonating a trustworthy source This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act HIPAA Rules HIPAA is the federal law that protects the privacy and security of health information ppPhishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information said OCR Director Melanie Fontes Rainer It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacksppOn May 28 2021 Lafourche Medical Group filed a breach report with HHS stating that a hacker through a successful phishing attack on March 30 2021 gained access to an email account that contained electronic protected health information When protected health information is compromised by a cyberattack breach such as phishing incredibly sensitive information about an individuals medical records is at risk The types of sensitive information can include medical diagnoses frequency of visits to a therapist or other health care professionals and where an individual seeks medical treatmentppPhishing attacks can result in identity theft financial loss discrimination stigma mental anguish negative consequences to the reputation health or physical safety of the individual or to others identified in the individuals protected health information Health care providers health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS Based on the large breaches reported to OCR this year over 89 million individuals have been affected by large breaches In 2022 over 55 million individuals were affectedppOCRs investigation revealed that prior to the 2021 reported breach Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks ppAs a result Lafourche Medical Group agreed to pay 480000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years Lafourche Medical Group will take the following steps to resolve and comply withppOCR is committed to enforcing the HIPAA Rules that protect the privacy and security of protected health information Guidance about the Privacy Rule Security Rule and Breach Notification Rules can be found on OCRs website Additional cybersecurity resources may be found atppThe resolution agreement and corrective action plan may be found at httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementslafourchemedicalgroupindexhtml ppThe HHS Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at httpsocrportalhhsgovocrbreachbreachreportjsfppIf you believe that your or another persons health information privacy or civil rights have been violated you can file a complaint with OCR at httpswwwhhsgovocrcomplaintsindexhtmlppReceive the latest updates from the Secretary Blogs and News ReleasesppReceive latest updatesppppFor general media inquiries please contact mediahhsgovppReceive the latest updates from the Secretary Blogs and News Releasespp200 Independence Avenue SW
Washington DC 20201
Toll Free Call Center 18776966775p
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppLouisiana Medical Group settles after investigation reveals large cybersecurity breach affecting nearly 35000 patientsppToday the US Department of Health and Human Services HHS Office for Civil Rights OCR announced a settlement with Lafourche Medical Group a Louisiana medical group specializing in emergency medicine occupational medicine and laboratory testing The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34862 individuals Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication such as email by impersonating a trustworthy source This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act HIPAA Rules HIPAA is the federal law that protects the privacy and security of health information ppPhishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information said OCR Director Melanie Fontes Rainer It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacksppOn May 28 2021 Lafourche Medical Group filed a breach report with HHS stating that a hacker through a successful phishing attack on March 30 2021 gained access to an email account that contained electronic protected health information When protected health information is compromised by a cyberattack breach such as phishing incredibly sensitive information about an individuals medical records is at risk The types of sensitive information can include medical diagnoses frequency of visits to a therapist or other health care professionals and where an individual seeks medical treatmentppPhishing attacks can result in identity theft financial loss discrimination stigma mental anguish negative consequences to the reputation health or physical safety of the individual or to others identified in the individuals protected health information Health care providers health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS Based on the large breaches reported to OCR this year over 89 million individuals have been affected by large breaches In 2022 over 55 million individuals were affectedppOCRs investigation revealed that prior to the 2021 reported breach Lafourche Medical Group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks ppAs a result Lafourche Medical Group agreed to pay 480000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years Lafourche Medical Group will take the following steps to resolve and comply withppOCR is committed to enforcing the HIPAA Rules that protect the privacy and security of protected health information Guidance about the Privacy Rule Security Rule and Breach Notification Rules can be found on OCRs website Additional cybersecurity resources may be found atppThe resolution agreement and corrective action plan may be found at httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementslafourchemedicalgroupindexhtml ppThe HHS Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at httpsocrportalhhsgovocrbreachbreachreportjsfppIf you believe that your or another persons health information privacy or civil rights have been violated you can file a complaint with OCR at httpswwwhhsgovocrcomplaintsindexhtmlppReceive the latest updates from the Secretary Blogs and News ReleasesppReceive latest updatesppppFor general media inquiries please contact mediahhsgovppReceive the latest updates from the Secretary Blogs and News Releasespp200 Independence Avenue SW
Washington DC 20201
Toll Free Call Center 18776966775p