Breach began with phishing email

May 1, 2017 Cathy Bryant

Recently, the Office for Civil Rights (OCR) resolved a breach investigation that began with a phishing email. Phishing emails lead to attacks on networks, when authorized users receive an email that appears legitimate. When the users click a link in the email, it launches malware.

Staff training on recognizing phishing emails is important and should be a part of your security awareness training.

Lessons learned from this OCR case reaffirm that covered entities are often failing to meet the most basic requirements of the HIPAA Security Rule — conducting a security risk analysis and developing a risk management plan to address issues discovered. In this case:

  • The covered entity failed to conduct a risk analysis until after the security incident.
  • Consequently, the covered entity had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. 
  • When the covered entity conducted a risk analysis, it was insufficient to meet the requirements of the Security Rule.

As part of the Resolution Agreement the covered entity agreed to:

  • Conduct a Security Risk Analysis after obtaining approval of their plan by Health and Human Services (HHS).
  • Develop a Risk Management Plan.
  • Review and Revise Policies and Procedures.
  • Review and Revise Training Materials.

Additionally, the HHS required the entity to provide Security Rule training to its employees within 30 days of the Resolution Agreement and again every year. New employees would be required to complete training within 30 days of their hire date. This training requirement was far more prescriptive than the training requirements found in the Security Rule itself.

For more information about security risk analysis or cyber risk management, please contact our Product Development and Consulting Services team.

To learn more about email phishing and email fraud, read our SlideShare presentation, What Every Physician Needs to Know: How to Detect Email Fraud.

About the Author

Cathy Bryant

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at

Visit Website More Content by Cathy Bryant
Previous Article
Ransomware: A clear and present danger

Case studies is to help physicians respond appropriately to ransomware attacks.

Next Article
Is your cyber security really covered?

Effective cyber security requires a multi-layered approach using threat detection, prevention, and incident...