OCR Takes Enforcement Motion for Phishing Assault

Final week, the Workplace for Civil Rights (“OCR”) introduced a settlement with Lafourche Medical Group (“LMG”), a Louisiana medical group, for a 2021 phishing assault and breach that affected the protected well being data (“PHI”) of 34,862 people. Along with paying $480,000 to OCR, LMG agreed to a corrective motion plan that may embody implementing safety measures to guard digital PHI, growing written insurance policies and procedures to adjust to HIPAA guidelines, and coaching workers members.

Via a phishing assault, in March 2021, a hacker gained entry to an proprietor’s e mail account. The e-mail account contained sufferers’ PHI, and since LMG was unable to find out the particular sufferers affected, it notified all 34,862 of its sufferers. OCR investigated and located that LMG by no means performed a safety danger evaluation previous to the incident. LMG additionally had not applied procedures to usually evaluation information of data system exercise.

Phishing continues to be essentially the most pervasive assault vector in cybersecurity incidents, usually leading to breaches of PHI and different delicate data. It due to this fact stays crucial for lined entities and enterprise associates to implement measures to scale back the danger related to phishing assaults, together with usually coaching workforce members on the best way to acknowledge and keep away from falling prey to phishing assaults. Organizations must also contemplate conducting phishing simulations whereby simulated phishing emails are despatched to workforce members to imitate real-world phishing assaults. This not solely gives precious educating moments to those that fail these simulations but in addition gives precious metrics to organizations.