Final week, the Workplace for Civil Rights (“OCR”) introduced a settlement with Lafourche Medical Group (“LMG”), a Louisiana medical group, for a 2021 phishing assault and breach that affected the protected well being data (“PHI”) of 34,862 people. Along with paying $480,000 to OCR, LMG agreed to a corrective motion plan that may embody implementing safety measures to guard digital PHI, creating written insurance policies and procedures to adjust to HIPAA guidelines, and coaching employees members.

By a phishing assault, in March 2021, a hacker gained entry to an proprietor’s electronic mail account. The e-mail account contained sufferers’ PHI, and since LMG was unable to find out the particular sufferers affected, it notified all 34,862 of its sufferers. OCR investigated and located that LMG by no means carried out a safety danger evaluation previous to the incident. LMG additionally had not applied procedures to often overview data of knowledge system exercise.

Phishing continues to be probably the most pervasive assault vector in cybersecurity incidents, usually leading to breaches of PHI and different delicate data. It subsequently stays important for lined entities and enterprise associates to implement measures to cut back the danger related to phishing assaults, together with often coaching workforce members on methods to acknowledge and keep away from falling prey to phishing assaults. Organizations also needs to think about conducting phishing simulations whereby simulated phishing emails are despatched to workforce members to imitate real-world phishing assaults. This not solely gives beneficial instructing moments to those that fail these simulations but in addition gives beneficial metrics to organizations.