Louisiana-based Lafourche Medical Group agreed to pay $480,000 as part of the first phishing attack-related settlement the Department of Health and Human Services’ Office for Civil Rights (HHS OCR) has reached under the Health Insurance Portability and Accountability Act (HIPAA).

Lafourche additionally consented to be monitored by the OCR for a period of two years, as well as agreeing to a corrective action plan, the agency announced Thursday.

The details: In May 2021, Lafourche reported to the HHS it was breached through a phishing attack that occurred two months prior. The attack affected the electronic protected health information of nearly 35,000 individuals, the agency’s investigation found.

The OCR determined Lafourche failed to conduct a proper risk analysis of potential threats to electronic protected health information as required by HIPAA and did not have policies or procedures in place to regularly review information system activity.

Compliance considerations: Under its corrective action plan, Lafourche agreed to:

  • Implement security measures to reduce risks to electronic protected health information;
  • Develop, maintain, and revise written policies and procedures as necessary to comply with HIPAA; and
  • Provide training to all staff members who have access to patients’ protected health information on HIPAA policies and procedures.

Lafourche did not admit liability in reaching settlement. The company could not be reached for comment.