Feds set a punishing precedent for healthcare providers that fall victim to this common cyberattack. If you think the feds will be sympathetic to a HIPAA data breach that was caused by phishing, think again. New case: Last month, the HHS Office for Civil Rights settled its first investigation of a phishing cyberattack. Louisiana-based Lafourche Medical Group identified an email phishing scheme that had impacted 34,862 individuals’ electronic protected health information (ePHI) and filed a HIPAA breach in March 2021. OCR investigated and uncovered that Lafourche had “failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA,” a release notes. Plus Lafourche “had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks,” the agency says. Lafourche agreed to pay OCR a whopping $480,000 in fines and enter into a two-year corrective action plan (CAP) to resolve the investigation. A large part of the organization’s CAP includes devising a compliance program, implementing risk analysis practices, and training staff. The somewhat stiff penalty comes even though Lafourche self-disclosed the problem, notes attorney Amy O’Neill with law firm King & Spalding in California, in online analysis. “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” says OCR Director Melanie Fontes Rainer in the release. “It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks,” Fontes Rainer maintains. “Phishing continues to be the most pervasive attack vector in cybersecurity incidents, often resulting in breaches of PHI and other sensitive information,” emphasize attorneys Jodi Daniel and Brandon Ge with law firm Crowell & Moring in Washington, D.C. “It therefore remains critical for covered entities and business associates to implement measures to reduce the risk associated with phishing attacks, including regularly training workforce members on how to recognize and avoid falling prey to phishing attacks,” Daniel and Ge stress in the C&M Health Law blog. Try this: “Organizations should … consider conducting phishing simulations whereby simulated phishing emails are sent to workforce members to mimic real-world phishing attacks,” Daniel and Ge recommend. “This not only provides valuable teaching moments to those who fail these simulations but also provides valuable metrics to organizations,” they say.