You’ve seen the old signs: “Out to lunch” or “Gone fishing.” Such messages placed conspicuously in front of small businesses may have been commonplace in the low-tech days of the last century, but these phrases now serve as a descriptor of either laziness or craziness. At the very least, careless disregard may be the modern-day messaging implicit in these memes. The problem is that running a 21st-century business in a carefree manner can invite predators to engage in a fishing expedition at your own expense.
In late December, the Office for Civil Rights (OCR), an agency under the aegis of the U.S. Department of Health and Human Services (HHS), announced a financial settlement with a private medical group following a phishing attack that affected the electronic protected health information (ePHI) of 34,862 patients. The term “phishing” describes a particular kind of cyberattack that employs clever methods to entice individuals to disclose sensitive information via electronic communication, such as email. Typically, the method involves the impersonation of a trustworthy source, such as a co-worker or supervisor. Such an attack scored a major hit on Lafourche (pronounced “Lah-foosh”) Medical Group (LMG), a Louisiana-based clinical practice specializing in emergency medicine, occupational medicine and laboratory testing.
Baiting the Hook
On May 28, 2021, LMG filed a breach report with HHS stating that a phishing attack, which occurred the previous March, enabled a hacker to successfully gain access to ePHI. This exposed sensitive patient information, including diagnoses, frequency of visits and treatment locations. Phishing attacks, generally, often involve identity theft, monetary exploitation and harm to one’s reputation. And all this, in turn, can lead to mental anguish and financial loss on the part of the patient. Phishing is considered a very serious danger by cyber security experts because of its potential to cause large-scale harm.
In response to the breach report, the OCR investigated the case and found that the medical group was in violation of multiple regulations that arise from the Health Insurance Portability and Accountability Act (HIPAA). It was determined that, prior to the 2021 reported breach, LMG failed to conduct a risk analysis to identify potential threats or vulnerabilities to ePHI across the organization as required by HIPAA. The OCR also discovered that the group had no policies or procedures in place to regularly review information system activity to safeguard PHI against cyberattacks. This, dear readers, is what we call being “out to lunch” from a vigilance standpoint. Such reckless disregard is not only illegal, it’s actually harmful to your own financial interests.
Resolution and Restitution
As a result of the federal investigation, LMG agreed to pay OCR a fine of $480,000 and to implement a corrective action plan that is to be monitored by the agency for two years. Specifically, the group has agreed to take the following actions:
- Establish and implement security measures to reduce security risks and vulnerabilities to ePHI in order to keep patients’ protected health information secure;
- Develop, maintain and revise written policies and procedures as necessary to comply with the HIPAA rules; and
- Provide training to all staff members who have access to patients’ PHI on HIPAA policies and procedures.
Tales and Takeaways
The LMG case serves as a cautionary tale for medical entities, generally—including hospitals. This marks the first settlement imposed by the OCR that involved a phishing attack. According to the agency’s director, Melanie Fontes Rainer:
Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information. It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our healthcare system safe and taking preventive steps against phishing attacks.
It should be reiterated that healthcare providers, health plans and data clearinghouses regulated by HIPAA are required to file reports with HHS in the event of large breaches of ePHI. Based on the breach reports received in 2023, nearly 90 million individuals were affected by large breaches last year. This is up from 55 million individuals affected from breaches in 2022. So, these attacks are not going way; they are only increasing. Hospitals must have measures in place that comply with HIPAA requirements and that are sufficient to defend against the dangling hook that is already in the water.
For more information on a hospital’s responsibility relative to cybersecurity and breaches, check out the OCR’s website at OCR Home | HHS.gov.