From ADA News:
The federal government in April settled a potential violation of the Health Insurance Portability and Accountability Act with a Denver-area federally qualified health center that was reportedly the victim of a 2012 phishing attack.
Another big fine. The breach was from an e-mail scam that took place in 2012 before the new omnibus rules went into effect. Essentially they were fined for not conducting and documenting an assessment.
On the one hand this seems harsh fining someone who was the victim of a scam. On the other hand it is the responsibility of the health care entity to train employees to detect and avoid phishing attacks or to restrict use of the Internet.