HHS Settles with PIH Health Over HIPAA Violations Following Phishing Attack

Washington, D.C. – The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a $600,000 settlement with PIH Health, Inc., a California-based healthcare provider, following an investigation into potential HIPAA violations stemming from a phishing attack that compromised sensitive patient data.

The breach, reported by PIH in January 2020, occurred in June 2019 when attackers infiltrated 45 employee email accounts, exposing the electronic protected health information (ePHI) of 189,763 individuals. The compromised data included:

• Names, addresses, and dates of birth

• Social Security and driver’s license numbers

• Medical diagnoses, lab results, and treatment details

• Insurance claims and financial information

OCR Findings: Key HIPAA Failures

OCR’s investigation revealed that PIH failed to:

1. Restrict access to PHI as required by the HIPAA Privacy Rule.

2. Conduct a comprehensive risk assessment to identify vulnerabilities in ePHI security.

3. Notify affected individuals and HHS of the breach within the mandated 60-day window.

Settlement Terms & Corrective Actions

As part of the resolution, PIH must:

• Pay $600,000 in penalties.

• Implement a two-year corrective action plan under OCR oversight, including:

  • Conducting a full risk analysis of ePHI security risks.

  • Developing a risk management plan to address vulnerabilities.

  • Updating HIPAA-compliant policies and procedures.

  • Providing staff training on HIPAA regulations.

OCR’s Warning & Recommendations

Acting OCR Director Anthony Archeval emphasized that hacking remains a leading cause of large HIPAA breaches, urging covered entities to strengthen cybersecurity measures. OCR recommends:

• Mapping ePHI flow within systems to identify weak points.

• Encrypting ePHI both in transit and at rest.

• Implementing audit controls to monitor system access.

• Conducting regular staff training on HIPAA compliance.

For more details, access the full resolution agreement here and review breach reporting requirements on the HHS Breach Portal.

Key Takeaway: This case underscores the critical need for proactive HIPAA compliance, including robust cybersecurity measures and timely breach response protocols, to safeguard patient data.