Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: HHS announces $480,000 settlement with Lafourche Medical Group over HIPAA violations

On December 7, 2023, the U.S. Department of Health & Human Services (HHS) announced, that Lafourche Medical Group, LLC (LMG), had entered into a Resolution Agreement in which it agreed to pay $480,000 to the HHS Office for Civil Rights (OCR) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules.

Background to the settlement

In particular, the HHS explained that on May 28, 2021, HHS received a breach notification report from LMG which stated that on March 30, 2021, LMG learned that an unauthorized individual obtained access to one of its owners' email accounts through a phishing attack. LMG determined that the email account contained patients' protected health information (PHI). As LMG was unable to identify the specific patients affected, LMG notified all of its patients of the incident.

Findings of the HHS

Following an investigation, the HHS determined that before the 2021 breach, LMG failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic PHI as required by Section 164.308(a)(1)(ii)(A) of the Code of Federal Regulations (C.F.R.) under the HIPAA Rules. The HHS also found that LMG  had no policies or procedures in place to regularly review information system activity to safeguard PHI against cyberattacks contrary to Section 64.308(a)(1)(ii)(D) of the Code of Federal Regulations (C.F.R.) under the HIPAA Rules.


In light of the above, LMG agreed to the aforementioned settlement and to implement a corrective action plan that will be monitored by the OCR for two years. LMG also agreed to:

  • establish and implement security measures to reduce security risks and vulnerabilities to electronic PHI;
  • develop, maintain, and revise written policies and procedures as necessary to comply with the HIPAA Rules; and
  • train all staff members who have access to patient's PHI on HIPAA policies and procedures.

You can read the press release here, and the Resolution Agreement here.