On December 7, 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Lafourche Medical Group. The settlement was the first of its kind – resulting from a phishing incident the group reported in May 2021. To close the investigation, the Louisiana medical group agreed to pay $480,000 to OCR and to implement a corrective action plan.
The Phishing Incident and Its Aftermath
On March 30, 2021, a hacker accessed Lafourche Medical Group’s systems through an employee email account. As a result, 34,862 patients’ protected health information (PHI) was potentially exposed.
This type of attack, known as phishing, has become more common in the healthcare space as the wealth of information held on patients can lead to identity theft and financial fraud – and although this is the first phishing settlement OCR has reached, it likely will not be the last.
“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”
While Lafourche did the right thing by reporting the breach to OCR promptly, the lack of security measures they had in place before the incident led to the large settlement. OCR’s investigation uncovered that Lafourche failed to conduct a security risk assessment (SRA) and lacked policies and procedures to regularly review information system activity – both potential HIPAA violations.
As part of the settlement, Lafourche agreed to:
- Implement security measures to reduce security risks and vulnerabilities to electronic protected health information
- Develop and maintain policies and procedures as necessary to comply with HIPAA
- Provide training to all staff members who have access to patients’ protected health information on HIPAA policies and procedures
How to Recognize Phishing Emails
Phishing emails can be difficult to detect as hackers disguise themselves as trusted entities. Hackers intentionally attempt to trick recipients into clicking links that allow access to an organization’s network.
Below are some indications of malicious emails:
- The email asks for personal information
Legitimate companies will not send emails that ask for passwords, credit card information, credit scores, or Social Security numbers. If an email asks for any of this information, it is not an email from a legitimate organization.
- The email uses a generic greeting
Emails from legitimate organizations will address recipients by name. Many hackers use generic greetings such as “Dear valued customer,” or they use no greeting at all.
- Sender’s email address doesn’t look genuine
When receiving an email from an unknown entity, checking their email address is always a good idea. Legitimate companies will have domain emails, whereas hackers may make a few changes to spelling or add numbers to make it look like the email is coming from a trusted organization. Email addresses can be checked by hovering over the “from” address and carefully checking the spelling.
- It’s poorly written
A good indication that an email is not from a trusted organization is poorly written emails. Emails containing spelling or grammar mistakes are likely phishing attempts.
- It’s trying to force you to their website
Some phishing emails are designed so that anywhere a recipient clicks, will direct them to a malicious website. Legitimate companies will not force you to go to their website; if an email contains nothing but a “click here” button, or something similar, with no other text, it is a malicious email.
- It contains an unsolicited attachment
Receiving an unsolicited email with an attachment is likely a phishing attempt. Legitimate businesses will generally only send attachments when requested. Attachments ending in .exe, .scr, and .zip are considered high-risk attachments.
- Company links match legitimate URLs
Before clicking on any links, recipients should hover over the link to ensure that the link will take them where it says it will. If the link differs from the text, or doesn’t match the context of the email, it is a phishing attempt.