HHS Announces Settlement With PIH Health Following Potential HIPAA Violations

The HHS’s Office for Civil Rights (OCR) has announced a “settlement with PIH Health, Inc. (PIH), a California healthcare network, over potential violations of the [HIPAA] Act.”

The violations stem from “a phishing attack that exposed unsecured electronic protected health information (ePHI), prompting concerns related to the Privacy, Security, and Breach Notification Rules under HIPAA.” Those rules “set forth the requirements that covered entities…and business associates must follow to protect the privacy and security of Americans’” PHI.

This settlement “resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI.” Among the information disclosed in the phishing attack included “affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.”

OCR’s investigation found several potential violations of the HIPAA Rules, and PIH agreed to “implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules.”