HHS OCR imposed a $480,226 civil money penalty on Lafourche Medical Group for failure to conduct a HIPAA risk analysis. A phishing attack resulted in unauthorized access to an employee email account containing PHI of approximately 34,000 patients. The investigation found Lafourche had never conducted a risk analysis and lacked a security management process.
Lafourche Medical Group — No Risk Analysis HIPAA Penalty ($480K)
What Went Wrong
A phishing email led to employee credential compromise. When OCR investigated, it found Lafourche had never conducted a required risk analysis — not once since HIPAA's security rule compliance date. The attacker accessed the email account for an unknown period with access to PHI of 34,000 patients.
Lessons Learned
The risk analysis is mandatory, not optional, and not a one-time event. It must be updated when the environment changes. Small and mid-sized healthcare providers are equally subject to HIPAA. Email systems containing PHI are a primary target requiring MFA, DLP, and anti-phishing controls. OCR treats absence of risk analysis as a serious violation even if no breach occurred.
Source:
Official Enforcement Record ↗