Milestone First-Ever Phishing Attack Settlement



On December 7, 2023, the Department of Health & Human Services, Office for Civil Rights (OCR) announced its first-ever settlement involving a cyber-attack that emanated from a phishing scheme. “Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source,” and, according to OCR’s Director, “is the most common way that hackers gain access to health care systems to steal sensitive data and health information.”

By way of background, OCR conducted an investigation of a medical group after it filed a breach report with OCR stating that a hacker, through a successful phishing attack, had gained access to an email account containing protected health information, or PHI. Among OCR’s findings were that the group failed to conduct an organization-wide risk analysis to identify potential threats or vulnerabilities to the group’s systems, had no HIPAA policies and procedures in place, and failed to regularly review system activity. In settling the matter, the group agreed to pay OCR $480,000 and implement a corrective action plan that will be monitored for two years.

Click Here to read the entire February 2024 Healthcare Law Update now!

For more information or assistance with your privacy and security program, contact:
Lani M. Dornfeld, CHPC | 973.403.3136 |

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare