Third-Party Phishing Attack Affects Approximately 34,862 Lafourche Medical Group Patients

Urgent care center operator Lafourche Medical Group based in Louisiana has notified 34,862 patients concerning a security breach that possibly affected some of their protected health information (PHI).

Lafourche Medical Group found out on March 30, 2021 that an external accountant had responded to a phishing email that spoofed one of the company owners of Lafourche Medical Group and revealed login credentials to the hacker. The compromised credentials were utilized to obtain access to the group’s Microsoft 365 account.

A third-party IT firm assisted with the investigation, however, uncovered no evidence that suggests the compromise of its on-premise systems or cloud-based electronic medical record system; nonetheless, the credentials might have been employed to see or get data from its Microsoft 365 environment, which included a few patient information. Due to the size of the email system, it was impossible to know all potential patient data that might have been contained in the system, reported in the substitute breach notice of Lafourche Medical Group.

Clinical information wasn’t breached; nevertheless, emails were employed to communicate selected patient data for invoicing and other clinic purposes. The types of information frequently transmitted through email include names, addresses, e-mail addresses, dates of birth, dates of service, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating specialist names, and lab test results.

A more powerful vetting process was put in place for business associates and a third-party IT firm was employed to re-evaluate its computer system and security steps and to endorse best practices for enhancing data safety. A number of measures were already enforced to enhance security, including strengthening the firewall and spam and malware filters, employing stricter password policies, incorporating multi-factor authentication for mobile access, and retraining the employees on cybersecurity, social engineering, and phishing.