Health Law Scan

Legal Insights and Perspectives for the Healthcare Industry

Phishing, the act of impersonating a person or business to deceive a target into revealing sensitive information, has quickly become the tool of choice for scammers and cybercriminals. In 2023, the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center noted that there were 298,878 complaints of phishing, a significant increase from the 114,702 cases reported in 2019.

With this surge in phishing attacks, healthcare providers and other entities that handle sensitive personal information must remain vigilant against the ongoing threat phishing represents and take proactive steps to mitigate potential risks.

OCR's First Phishing Settlement

The US Department of Health and Human Services, Office for Civil Rights (OCR) has not ignored the evolving trends of cybercriminals and, as recently as December 2023, sent a clear message to healthcare providers in its first phishing cyberattack settlement: Conduct regular risk assessments and use best practices to safeguard sensitive data.

In its settlement with Lafourche Medical Group LLC, an emergency medicine, occupational medicine, and laboratory-testing medical group in Louisiana, OCR identified that Lafourche “failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA.” Notably, Lafourche had no policies or procedures in place to safeguard electronic protected health information (ePHI) against cyberattacks.

Lafourche was not prepared when a phishing attack on March 30, 2021 resulted in unauthorized access to an email account containing ePHI. Lafourche reported the breach to the US Department of Health and Human Services on May 28, 2021, whereby the ePHI of nearly 35,000 individuals was compromised.

OCR Director Melanie Fontes Rainer said of the incident: “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks.”

As part of a resolution with OCR, Lafourche agreed to pay OCR $480,000 and to implement a corrective action plan that will be monitored by OCR for two years. This was the first settlement made to OCR to resolve a phishing attack under HIPAA.

OCR Director Rainer noted: “We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.” OCR’s acknowledgment that preventing future phishing attacks will require cross-sector participation is a positive development for all those involved in the healthcare space.

A salient takeaway from this situation is that the reduction of human factor errors through regular training and ongoing assessments will be an important step for healthcare providers to take to safeguard patient data and avoid severe financial consequences.

Phishing attacks are only expected to get harder to detect and more damaging. In October 2023, the Office of Information Security released a white paper noting that generative artificial intelligence (AI) will allow cybercriminals to augment text in the body of phishing attacks. Indeed, “FraudGPT” is already available on the dark web.

With the massive proliferation of information on and use of AI, the prevalence of these attacks is expected to increase exponentially, underscoring the need to regularly update and pressure test security policies and procedures. It is time for companies to dedicate additional employee education resources to further reduce the potential for human error and to implement risk assessments and state-of-the-art system design.

How We Can Help

Morgan Lewis guides and provides counseling to business navigating data security best practices. Our HIPAA and data-privacy lawyers stand ready to assist companies in navigating these complex issues.