Lafourche Medical Group (LMG) in Louisiana has agreed to pay $480,000 in the first HIPAA settlement related to phishing, the HHS Office for Civil Rights (OCR) said Dec. 7. Phishing is a kind of cybersecurity attack used to trick people into revealing sensitive information by email or other electronic communication through impersonation of a trusted source.
According to LMG’s resolution agreement with OCR, LMG filed a breach notification report in May 2021 explaining it discovered two months earlier that an unauthorized person had gained access to one of its owner’s email accounts through phishing.[1] LMG ascertained the email account had the protected health information (PHI) of patients. Because it was unable to identify which patients were affected, LMG told all 34,862 patients what happened.