In a stark reminder of how devastating phishing attacks can be, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a $600,000 settlement with PIH Health, Inc., a California-based healthcare network, following a data breach that compromised the electronic protected health information (ePHI) of almost 190,000 individuals.
The breach, which stemmed from a June 2019 phishing attack, compromised 45 employee email accounts and exposed a range of sensitive data—including names, Social Security numbers, diagnoses, lab results, and even financial information. PIH didn’t report the incident until January 2020, which triggered an OCR investigation.
What Went Wrong?
OCR identified several HIPAA violations in PIH’s handling of the incident:
- Failing to limit the use and disclosure of PHI as required by the HIPAA Privacy Rule
- Not conducting a comprehensive risk analysis to assess vulnerabilities to ePHI
- Delaying breach notification beyond the 60-day window mandated by HIPAA
These lapses led to a settlement agreement requiring PIH to not only pay $600,000, but also to implement a Corrective Action Plan (CAP) over the next two years. The CAP includes conducting a full risk analysis, implementing a risk management strategy, updating HIPAA policies, and training staff on those policies.
A Cautionary Tale for All Covered Entities
“Hacking is one of the most common types of large breaches reported to OCR every year,” said Acting OCR Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
In other words, don’t wait until a breach forces you into compliance—get ahead of it now.
Key Takeaways for HIPAA-Covered Organizations
To reduce the risk of a similar incident, OCR urges all healthcare providers, health plans, clearinghouses, and business associates to take the following steps:
- Map out where ePHI lives in your systems, how it enters and exits, and who has access
- Integrate HIPAA risk analysis into your organization’s everyday business processes
- Enable audit controls and review system activity regularly
- Use multi-factor authentication and encryption to protect ePHI in transit and at rest
- Offer frequent, role-specific HIPAA training to your workforce
Need Help with Healthcare Compliance?
Compliancy Group’s software, The Guard, simplifies compliance—ensuring you’re audit-ready, breach-prepared, and patient-trust-worthy. With tools to manage policies, procedures, training, and risk assessments, you’ll spend less time stressing about breaches and more time focusing on care.
Learn how we can help you stay secure and compliant in 2025.
