HHS’ Office for Civil Rights Reaches Settlement of First Phishing Cyberattack Under HIPAA

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has announced its first settlement of a HIPAA case involving a phishing cyberattack. In May 2021, Lafourche Medical Group, LLC, filed a HIPAA breach notification with OCR stating that a hacker had obtained electronic patient health information (ePHI) via a phishing cyberattack. OCR’s press release states, “Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source.” This cyberattack is the most common way hackers access healthcare systems to obtain patient information.

After investigating the breach, OCR determined that Lafourche failed to conduct a security rule risk analysis or implement procedures to review records of information system activity regularly. HIPAA requires that covered entities, including Lafourche, complete these activities.

The resolution agreement requires Lafourche to pay a $480,000 settlement payment and comply with a corrective action plan (CAP), which OCR will monitor for the next two years. The CAP mandates that Lafourche take the following actions to remain in compliance:

• Establish and implement a risk management plan;
• Conduct an annual risk assessment to identify risks and vulnerabilities to ePHI throughout the group;
• Create, implement, and disseminate policies and procedures, including:
  • A process to regularly review all records of information activity that the group collects; and
  • A method to evaluate when the collection of new or different information should be included in the review process;
• Report to HHS if a staff member fails to comply with group policies and procedures concerning privacy or security of PHI;
• Train staff members with access to PHI on privacy, security, and related policies and procedures;
• Maintain records of staff members’ completion of training; and
• Review and update training annually based on law changes or issues arising during audits or reviews.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.

The following two tabs change content below.

• Bio
• Latest Posts

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)

• Colorado First State to Place Price Cap on Prescription Drug - November 27, 2025