top of page

HHS Catches First Phish

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), settled with Lafourche Medical Group (Lafourche), a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. Lafourche was successfully exploited in 2021 by a phishing attack that provided unauthorized electronic protected health information disclosure affecting approximately 34,862 people. This is the FIRST HHS settlement announcement that following a phishing attack.

OCR concluded that Lafourche failed to prior conduct a risk assessment per §164.308(a)(1)(ii)(A), nor have policies and procedures in place to monitor system activity, as required by § 164.308(a)(1)(ii)(D). As result, Lafourche has agreed to a two year corrective action plan and a $480K payment. We cannot help but to think aloud that the amount paid would probably cover a lifetime's worth of risk assessments and policy. Add to this figure a class-action civil lawsuit, lawyer fees and increased insurance premiums and it could be two lifetimes...

Click the graphic below to read the news announcement and actualy settlement agreement. More importantly, develop policies that address all Rules' citations and don't skip out on that risk assessment.

Stay (HIPAA) safe, Alan -

9 views0 comments


bottom of page