34,862 patients of Lafourche Medical Group, a Louisiana-based urgent care center operator, have been made aware that a security incident may have resulted in a portion of their of their protected health information being compromised.
Lafourche Medical Group learned in March 2021 that an external accountant had replied to a phishing email that claimed to have been sent by one of the owners of Lafourche Medical Group. responding to the email gave the attackers credentials that allowed access to group’s Microsoft 365 environment.
An external third-party IT company was contracted to help out with the investigation. However, the company did not find any evidence to suggest the group’s on-premise systems or cloud-based electronic medical record system had been infiltrated. That said, it was not possible to rule out data theft from the Microsoft 365 environment with a high degree of certainty.
A review of the accounts that could potentially have been accessed confirmed they included a range of private patient information. The substitute breach notice released by Lafourche Medical Group stated “Due to the size of the email system, we are unable to identify all potential patient information that may have been contained in the system.”
Clinical data was in no way impacted; however, emails were used to share specific patient information in relation to billing and other clinical processes. The range of data shared via email typically included names, addresses, dates of birth, dates of service, e-mail addresses, telephone contact details, medical record numbers, insurance and health plan beneficiary numbers, guarantor identification, diagnoses, treating practitioner names, and laboratory test results.
Following the identification of the breach, the group has put in place an enhanced vetting process for business associates. Additionally, a third-party IT consultancy was brought in to audit computer systems and security measures. Recommendations for best practices and information security enhancements were provided and have now been implemented to improve security. These recommendations included bolstering the firewall and spam and malware filters, creating stricter password policies, implementing multi-factor authentication for mobile access, and conducting further training for staff on cybersecurity, social engineering, and phishing attacks.