St. Joseph’s Medical Center and Lafourche Medical Group Pays HIPAA Penalty to Resolve Violations

$80,000 HIPAA Fine Paid by St. Joseph’s Medical Center for Disclosing PHI to a Reporter

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported the 11th HIPAA penalty issued this 2023. OCR investigated a non-profit academic medical center, St. Joseph’s Medical Center based in New York, due to the disclosure of patients’ protected health information (PHI) to a reporter. To resolve the alleged HIPAA violations, St. Joseph’s Medical Center paid a financial penalty of $80,000.

The HIPAA Privacy Rule allows disclosures of PHI if associated with the treatment, payment, and healthcare operations. Other PHI disclosures are normally forbidden except if patient authorization is acquired. OCR investigated St. Joseph’s Medical Center on April 20, 2020 concerning the article published in the media by an Associated Press (AP) reporter. According to the details in the article, it seemed that the reporter was permitted to see three patients under COVID-19 treatment.

The article contained details involving the medical center’s activities on the COVID-19 public health emergency and pictures and data regarding the patients in the facility. The pictures were distributed country-wide, disclosing PHI like patients’ COVID-19 diagnoses, present health conditions, vital signs, medical prognoses, and treatment programs. OCR’s investigation found proof that indicated that St. Joseph’s Medical Center had permitted the reporter to access the patients and their clinical data. St. Joseph’s Medical Center did not get permission and legal HIPAA permissions from the patients and the PHI disclosure was not authorized by the HIPAA Privacy Rule.

St. Joseph’s Medical Center opted to resolve the alleged HIPAA violation without admitting liability and consented to undertake a corrective action plan (CAP). The CAP calls for St. Joseph’s Medical Center to evaluate and, to the extent required, create, maintain, and revise its written privacy guidelines and procedures to make sure they comply with the HIPAA Privacy Rule, present those guidelines and procedures to OCR for evaluation, circulate the modified guidelines and procedures to all employees, and let all employees sign a compliance certification confirming they have read and fully understood the new guidelines and procedures. St. Joseph’s Medical Center will likewise be under OCR monitoring for compliance for two years.

Whenever having health care in hospitals and emergency rooms, patients must not need to worry that healthcare providers may expose their health data to the media with no consent,” stated OCR Director Melanie Fontes Rainer. “Providers should be cautious in relation to patient privacy and take needed actions to safeguard it and stick to the law. The Office for Civil Rights will always observe enforcement actions that prioritize patient privacy.

PHI Disclosures Due to Media Enquiries

With regards to PHI disclosures because of media inquiries, the HIPAA Privacy Rule 45 CFR § 164.510(a) allows notifications to persons who ask about a patient or the patient’s overall condition and place in a healthcare facility.

In these instances, disclosure of PHI is allowed when it is in line with the wishes of the patient and the patient is requested by name. What can be shared is facility directory data. The name of the patient may be shared with the individual’s place inside the facility, considering the location doesn’t reveal data regarding the patient’s treatment, for instance, labor & delivery, and their general condition i.e., stable, good, or critical. All other information and PHI may only be given if there’s HIPAA-compliant patient consent.

OCR Enforces First HIPAA Penalty in a Phishing Attack Investigation

The HHS’ Office for Civil Rights (OCR) has decided to resolve a cyber investigation and has enforced the first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) for Security Rule violations associated with a phishing attack. Lafourche Medical Group based in Louisiana, with a specialty in occupational medicine, emergency medicine, and laboratory testing, submitted a data breach report to OCR on May 28, 2021 indicating that the PHI of around 34,862 persons were affected.

As per the breach notification, the attacker acquired access to the owner’s email account on March 30, 2021, after responding to a phishing email that spoofed one medical group owner. The attacker acquired access to the Microsoft 365 environment containing patient information. Lafourche Medical Group stated that due to the size of the email system, it cannot be determined which patient data were compromised, thus notification letters were sent to all patients. The compromised information included names, birth dates, addresses,
dates of service, phone numbers, e-mail addresses, medical record numbers, health plan beneficiary numbers and insurance, guarantor names, diagnoses, names of treating practitioners, and laboratory test data.

OCR started investigating the incident to find out if the inability to comply with the HIPAA Rules resulted in or led to the security breach. OCR’s investigators found out Lafourche Medical Group did not perform a security risk analysis before the phishing attack. As per the HIPAA Security Rule 45 C.F.R. § 164.308(a)(1)(ii)(A), covered entities and business associates must perform an accurate and comprehensive assessment of the potential threats and vulnerabilities to the confidentiality, availability, and integrity of PHI. OCR likewise confirmed that Lafourche Medical Group did not implement measures to regularly evaluate records of data system activity before the phishing attack. This is likewise a necessary implementation standard of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).

Lafourche Medical Group consented to resolve the investigation without admitting legal responsibility or wrongdoing. Besides paying a big financial penalty, Lafourche Medical Group will implement a corrective action plan (CAP) consisting of creating and carrying out security steps to minimize security issues and vulnerabilities to ePHI, making, maintaining, and modifying written guidelines and procedures as needed to be HIPAA compliant, and offering HIPAA training to all employees who got access to PHI. OCR will additionally supervise Lafourche Medical Group for 2 years to make sure it complies with the HIPAA Rules.

Phishing is the most popular method used by hackers to access healthcare systems to steal sensitive information and health data, stated OCR Director Melanie Fontes Rainer. The healthcare sector must be alert in securing its systems and sensitive health records, including regular training of employees and regularly checking and managing system issues to avoid these attacks.

This is OCR’s 12th HIPAA violation penalty issued in 2023 and the second-biggest this year. To date this 2023, OCR has enforced HIPAA penalties worth $4,016,500.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at