Dec. 7 (UPI) — A Louisiana medical services company will pay $480,000 to settle claims that it failed to protect nearly 35,000 patients from cyber pfishing, the Department of Health and Human Services announced Thursday.
Lafourche medical, which specializes in emergency and occupational medicine and laboratory testing, filed a report with the DHS in May 2021 that the company had been hacked, putting potentially sensitive patient information at risk.
“A hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronic protected health information,” Lafourche said in its filing.
Phishing is a type of cyberattack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source.
Through phishing scams, hackers can gain access to medical diagnoses, frequency of visits to a therapist or other healthcare professionals and where an individual seeks medical treatment.
“Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health or physical safety of the individual or to others identified in the individual’s protected health information,” the HHS said.
“Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information,” said Office for Civil Rights Director Melanie Fontes Rainer. The OCR is part of the DHS.
“It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our healthcare system safe and taking preventive steps against phishing attacks,” Rainer added.
This is the first settlement the OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act Rules. HIPAA is the federal law that protects the privacy and security of health information.
Healthcare providers, health plans and data clearinghouses regulated by HIPAA are required to file breach reports with the HHS. Based on the large breaches reported to the OCR this year, over 89 million individuals have been affected by large breaches. In 2022, over 55 million individuals were affected.
In this case, the OCR’s investigation found that, prior to 2021, Larouche failed to conduct a risk analysis of potential cyber threats and left itself vulnerable.
In addition to the fine, Larouche will be required to follow a series of steps to guard against future breaches and will be monitored by the OCR for two years.