HHS agrees to $480,000 settlement with Louisiana medical group over data breach

The U.S. Department of Health and Human Services (HHS) agreed to a settlement of $480,000 with Louisiana-based medical group Lafourche Medical Group following a 2021 cyberattack that exposed the sensitive information of nearly 35,000 people.

In addition to the monetary penalty, the company agreed to undergo periodic audits by HHS for two years.

HHS noted that this is their first settlement they have resolved involving a phishing attack that led to violations of the Health Insurance Portability and Accountability Act (HIPAA) — a federal law governing the privacy and security of health information.

The law requires companies handling protected health information to conduct a risk analysis to identify potential threats or vulnerabilities to systems.

Lafourche Medical Group specializes in emergency medicine, occupational medicine, and laboratory testing. On May 28, 2021, the company filed a breach report with HHS that said hackers used a phishing attack on March 30, 2021 to gain access to an email account that held electronic health information of 34,862 people.

HHS noted that Lafourche Medical Group had “no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.”

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said HHS’ Office for Civil Rights (OCR) Director Melanie Fontes Rainer.

“It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

Lafourche Medical Group agreed to implement a corrective plan that will be monitored by OCR for two years. The plan includes an agreement that the company will implement security measures to reduce the cybersecurity risks to health information.

They will need to develop, maintain and frequently revise written cybersecurity policies and procedures, and staff will have to undergo training.

A bigger role for HHS

The settlement is the first step in HHS’ multi-pronged effort to take a tougher stance on cybersecurity in the health sector.

The department published a planning document on Wednesday that outlines several voluntary and potentially mandatory actions hospitals will need to take.

One pillar of the plan involved adding cybersecurity requirements to Medicare and Medicaid as well as updates to HIPAA’s Security Rule in the spring of 2024 that would also include new cybersecurity requirements.

HHS said it is planning to work with Congress on increasing civil monetary penalties for HIPAA violations and expanding their resources so they can investigate more potential HIPAA violations, conduct audits and provide more technical assistance.

The moves come after a year full of headline-grabbing attacks on healthcare facilities that caused widespread outages and disastrous ambulance diversions.

In addition to the immediate impacts of destructive ransomware attacks, troves of sensitive user data continue to find their way onto the dark web, exposing millions to identity theft and worse.

HHS said over 89 million individuals have been affected by large breaches reported to OCR this year. In 2022, over 55 million individuals were affected.

Karan Sondhi, CTO at cybersecurity company Trellix, noted that the U.S. healthcare system is slowly recovering from a staffing crisis and employee burnout, making the likelihood of impending cyberattacks worrying for all healthcare systems.

“Considering 17% of healthcare cyberattacks lead to physical harm or death, the current growth trajectory can lead to tragedy. The industry has not been purposefully negligent,” Sondhi said.

“Instead, a combination of missing education, low investment, and minimal guidelines for initiating change, create the perfect storm for malicious actor exploitation.”