On December 7, 2023, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (ePHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules.
On May 28, 2021, the medical group filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained ePHI. OCR’s investigation revealed that, prior to the 2021 reported breach, the medical group failed to conduct a risk analysis to identify potential threats or vulnerabilities to ePHI across the organization as required by HIPAA. OCR also discovered that the medical group had no policies or procedures in place to regularly review information system activity to safeguard protected health information (PHI) against cyberattacks.
As a result, the medical group agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years. They will also take the following steps:
- Establish and implement security measures to reduce security risks and vulnerabilities to ePHI in order to keep patients’ PHI secure;
- Develop, maintain, and revise written policies and procedures as necessary to comply with the HIPAA Rules; and
- Provide training to all staff members who have access to patients’ PHI on HIPAA policies and procedures.
Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can be found on OCR’s website. Additional cybersecurity resources may be found at:
- OCR’s newsletter on Defending Against Common Cyber-Attacks.
- Health Sector Cybersecurity Coordination Center White Paper on AI-Augmented Phishing and the Threat to the Health Sector – PDF.
- HHS 405d Health Industry Cybersecurity Practices on Email Phishing Attacks – PDF.
- Videos on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English and Spanish.
Compliance Perspective
Issue
Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI. When PHI is compromised by a cyberattack breach such as phishing, incredibly sensitive information about an individual’s medical records is at risk. Healthcare providers, health plans, and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. Based on the large breaches reported to OCR this year, over 89 million individuals have been affected by large breaches. In 2022, over 55 million individuals were affected.
Discussion Points
- Review policies and procedures related to HIPAA and ePHI. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update as new information becomes available.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Rules, including the requirements for conducting risk assessments. Train all staff on HIPAA and PHI upon hire and annually, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Document that these trainings occurred and file the signed training document in each employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA and PHI are being followed by all staff, and that each person demonstrates understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted and that computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*