The First Phishing Attack Settlement $480,000 Announced!
By Olivia Wann, JD
The OCR settled with a medical group in Louisiana for a phishing attack that affected 35,000 patients for $480,000.
Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to reputation, health, or physical safety of the individuals, or to others identified in the individual’s protected health information, according to the Office of Civil Rights.
Modern Practice Solutions has been providing on phishing attacks for quite a few years in our standard HIPAA- Cyber courses. We demonstrate how the cybercriminal mimics a reputable site to pretend the email is from that organization. For example, rather [email protected], the email may be from [email protected]. Without carefully reviewing the sender’s information, the person receiving the email may be deceived. The body of the email may indicate that the person’s account was compromised and to click on the link to secure the account. By clicking on the link, the receiver has now compromised the data.
When the OCR investigated this recent phishing attack, they learned that the medical group did not conduct a risk analysis. This process is required and critical to identify potential threats or vulnerabilities to electronic protected health information. Have you conducted your HIPAA Security Risk Assessment? If not, please schedule this important service.
The OCR also noted in this recent breach that the medical group did not have policies or procedures in place to regularly review information system activity to safeguard protected health information. Have you contracted with your IT group or 3rd party to review your system activity? This is critical in order to safeguard the information you maintain on patients against cyberattacks.
The medical group was required to complete the following:
- Establish and implement security means to reduce security risks and vulnerabilities to ePHI ;
- Develop, maintain and revise written policies and procedures to comply with HIPAA;
- Provide training to staff.
Compliance with HIPAA and recognized security practices are not simply a good idea—it’s required. If you experience a cyberattack and you have no proof you’re endeavoring to be in compliance, you too will be subject to hefty penalties.
Protect your practice. Protect your reputation. Get into compliance!