Last week, the Office for Civil Rights (“OCR”) announced a settlement with Lafourche Medical Group (“LMG”), a Louisiana medical group, for a 2021 phishing attack and breach that affected the protected health information (“PHI”) of 34,862 individuals. In addition to paying $480,000 to OCR, LMG agreed to a corrective action plan that will include implementing security measures to protect electronic PHI, developing written policies and procedures to comply with HIPAA rules, and training staff members.

Through a phishing attack, in March 2021, a hacker gained access to an owner’s email account. The email account contained patients’ PHI, and because LMG was unable to determine the specific patients affected, it notified all 34,862 of its patients. OCR investigated and found that LMG never conducted a security risk analysis prior to the incident. LMG also had not implemented procedures to regularly review records of information system activity.

Phishing continues to be the most pervasive attack vector in cybersecurity incidents, often resulting in breaches of PHI and other sensitive information. It therefore remains critical for covered entities and business associates to implement measures to reduce the risk associated with phishing attacks, including regularly training workforce members on how to recognize and avoid falling prey to phishing attacks. Organizations should also consider conducting phishing simulations whereby simulated phishing emails are sent to workforce members to mimic real-world phishing attacks. This not only provides valuable teaching moments to those who fail these simulations but also provides valuable metrics to organizations.