AI, Phishing Attacks, Healthcare, and a $480,000 OCR Settlement under HIPAA

Posted Feb 27, 2024

By Joseph J. Lazzarotti with Jackson Lewis P.C.

Body Phishing has long been a favorite tactic for threat actors (hackers) to commence a cyberattack. The rapid expansion of more adaptable and available artificial intelligence (AI) technologies, such as natural language processing and large language models, now fuels more ferocious phishing campaigns. The effects are being felt in many industries, perhaps most notably the healthcare industry. One indicator of that may be the recent Office for Civil Rights (OCR) announcement of its “First Ever Phishing Cyber-Attack Investigation”

In October 2023, the U.S. Department of Health and Human Services (HHS) and the Health Sector Cybersecurity Coordination Center (HC3) published a white paper entitled, AI-Augmented Phishing and the Threat to the Health Sector, the HC3 Paper. While many have been using ChatGPT and similar platforms to leverage generative AI capabilities to craft client emails, layout vacation itineraries, support coding efforts, and help write school papers, threat actors have been hard at work using the technology for other purposes. According to the HC3 Paper,

Making this even easier for attackers, tools such as FraudGPT have been developed specifically for nefarious purposes. FraudGPT is a generative AI tool that can be used to craft malware and texts for phishing emails. It is available on the dark web and Telegram for a relatively cheap price – a $200 per month or $1700 per year subscription fee – which makes it well within the price range of even moderately sophisticated cybercriminals.

The HC3 Paper is informative. It not only outlines some basics about AI and the healthcare industry but also speaks to helpful countermeasures and best practices. These include:

  • email filtering,
  • employee training and awareness,
  • multifactor authentication, and
  • endpoint security management.

Of course, phishing is nothing new. As noted by the HC3 Paper, the FBI’s Internet Crime Complaint Center (IC3) found that phishing attacks were the number one reported cybercrime in 2022, with over 300,00 complaints reported. And, important for the healthcare industry, phishing was the most common attack impacting healthcare organizations, amounting to nearly half of the attacks in 2021, according to the Healthcare Information and Management Systems Society.

This brings us to the recent OCR’s enforcement action and resolution agreement. According to an OCR announcement, a relatively small urgent care center in Louisiana experienced a HIPAA breach that was initiated by a phishing attack. Reports about the incident suggest the attack affected nearly 35,000 individuals. According to the resolution agreement, the OCR alleged that before the incident, the HIPAA-covered entity had not conducted a HIPAA Security Rule risk analysis or implemented procedures to regularly review records of information system activity. In addition to the payment of a restitution amount of $480,000, the center agreed to a two-year corrective action plan.

Phishing attacks are serious business and they have become more so since being fueled by AI technologies – the healthcare industry continues to be a prime target. It is critical for covered entities and business associates to not only implement measures to prevent these attacks but to also be prepared to respond when they occur. Develop and maintain an incident response plan! Back to basics on HIPAA compliance also is critical when responding to an OCR inquiry. Cyberattacks happen and inquiries may follow. Maintaining a record of HIPAA compliance will be one of, if not, the most important element in the response to the OCR or state agency.

If you’d like to speak to an Asure HR expert about your business, connect with us.

 

JACKSON LEWIS P.C. (“FIRM”) PROVIDES THE INFORMATION IN THIS POST FOR GENERAL INFORMATIONAL PURPOSES ONLY. THIS POST SHOULD NOT BE RELIED UPON OR REGARDED AS LEGAL ADVICE. NO ONE ACCESSING OR REVIEWING THIS POST, WHETHER OR NOT A CURRENT CLIENT OF THE FIRM, SHOULD ACT OR REFRAIN FROM ACTING BASED ON SUCH CONTENT OR INFORMATION, WITHOUT FIRST CONSULTING WITH AND ENGAGING A QUALIFIED, LICENSED ATTORNEY, AUTHORIZED TO PRACTICE LAW IN SUCH PERSON’S PARTICULAR STATE, CONCERNING THE PARTICULAR FACTS AND CIRCUMSTANCES OF THE MATTER AT ISSUE. THE POST MAY NOT REFLECT CURRENT LEGAL DEVELOPMENTS, OR LAWS OR RULES THAT MAY APPLY IN PARTICULAR JURISDICTIONS. THE FIRM AND ITS LAWYERS EXPRESSLY DISCLAIM ALL LIABILITY IN CONNECTION WITH ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OR ALL OF THE CONTENTS OR INFORMATION ACCESSIBLE THROUGH THIS SITE. ANY INFORMATION ABOUT PRIOR RESULTS ATTAINED BY THE FIRM OR ITS LAWYERS IS NOT A GUARANTEE OR WARRANTY THAT A SIMILAR OUTCOME WILL BE ACHIEVED.        

THE FIRM IS NOT RESPONSIBLE FOR THE CONTENT, OPERATION, LINKS, TRANSMISSIONS, OR ANY INFORMATION PROVIDED ON ANY OTHER PART OF ASURE SOFTWARE, INC.’S WEBSITE OR ANY THIRD-PARTY WEBSITE THAT MAY BE ACCESSED BY A LINK FROM THIS WEBSITE.        

NOTHING PROVIDED BY THE FIRM IS INTENDED TO FORM AND WILL NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP.        

THIS POST MAY BE CONSIDERED ATTORNEY ADVERTISING UNDER THE RULES OF SOME STATES. THE HIRING OF AN ATTORNEY IS AN IMPORTANT DECISION THAT SHOULD NOT BE BASED SOLELY UPON ADVERTISEMENTS.        

STATEMENT IN COMPLIANCE WITH TEXAS RULES OF PROFESSIONAL CONDUCT: UNLESS OTHERWISE INDICATED IN INDIVIDUAL ATTORNEY BIOGRAPHIES, LAWYERS RESIDENT IN THE FIRM’S VARIOUS OFFICES ARE NOT CERTIFIED BY THE TEXAS BOARD OF LEGAL SPECIALIZATION.

Unlock your growth potential

Talk with one of experts to explore how Asure can help you reduce administrative burdens and focus on growth.

Get Connected