Phishing Attack and Late Breach Notifications Lead to $600K HIPAA Fine for PIH Health
The HHS’ Office for Civil Rights (OCR) has announced its 6th financial penalty of the year to resolve alleged violations of the HIPAA Rules. PIH Health, a California health care network, agreed to settle the alleged HIPAA violations and paid a $600,000 financial penalty.
The data breach that triggered the investigation occurred in June 2019, but was not reported to OCR until January 10, 2020, 7 months after the breach occurred. Hackers gained access to 45 employee email accounts between June 11 and June 21, 2019, in a targeted phishing campaign. The email accounts contained the electronic protected health information of 189,763 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.
The breach stands out due to the number of email accounts compromised in the attack and the time taken to issue notifications to the HHS and the affected individuals. OCR’s investigation identified violations of multiple provisions of the HIPAA Rules, including the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.
The HIPAA Privacy Rule places restrictions on uses and disclosures of protected health information (PHI). OCR determined that there had been an impermissible disclosure of the PHI of 189,763 individuals to the threat actor who conducted the phishing attack. The HIPAA Security Rule requires regulated entities to conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. OCR determined that a HIPAA-compliant risk analysis had not been conducted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Breach Notification Rule requires the HHS Secretary and the affected individuals to be notified about a breach of unsecured PHI, and if the breach affects more than 500 individuals, a media notice must be provided to prominent media outlets in the locations where the affected individuals reside. All notifications must be issued without undue delay and no later than 60 days after the date of discovery of the data breach. PIH Health was found to have violated all three of those notification requirements.
OCR notified PIH Health about the outcome of the investigation and the intention to impose a financial penalty, and gave PIH Health the opportunity to settle the case informally. PIH Health agreed to pay a $600,000 financial penalty to resolve the alleged HIPAA violations and adopt a corrective action plan to ensure full compliance with the HIPAA Rules. PIH Health will be monitored for compliance with the corrective action plan for two years.
The corrective action plan requires PIH Health to conduct a comprehensive and accurate risk analysis, develop a risk management plan to reduce any risks and vulnerabilities identified by the risk analysis and reduce them to a low and acceptable level, develop and maintain written policies and procedures to comply with the HIPAA Rules, and train members of the workforce on those policies and procedures. The enforcement action should serve as a warning to HIPAA-regulated entities about the importance of issuing notification letters promptly in the event of a data breach.
The sizeable settlement takes the total funds collected through OCR’s enforcement actions in 2025 past $2 million. “Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
