Tech & Innovation in Healthcare

Industry Notes:

OCR Lands a Major Catch in a Phishing Case

Prepare to pay if you’re not assessing your risks.

Healthcare technology has shown immense benefits — from artificial intelligence (AI) and electronic health records (EHRs) to new clinical tools. However, as more patient interactions and office work is performed digitally, cybersecurity must be a top priority of your practice, and you don’t want to be caught in a phishing scheme by the federal government.

Details: On Dec. 7, 2023, the HHS Office for Civil Rights (OCR) settled its first investigation of a phishing cyberattack. Louisiana-based Lafourche Medical Group, which specializes in emergency care, occupational medicine, and lab testing, identified an email phishing scheme that had impacted 34,862 individuals’ electronic protected health information (ePHI) and filed a HIPAA breach in March 2021. OCR investigated and uncovered that Lafourche had “failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA,” a release noted. “OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks,” the agency said.

Lafourche agreed to pay OCR $480,000 in fines and enter into a two-year corrective action plan (CAP) to resolve the investigation. A large part of the organization’s CAP includes devising a compliance program, implementing risk analysis practices, and training staff.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer in the release. “It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

Resource: View the release, which includes links to the resolution, at www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.