The U.S. Department of Health and Human Services (HHS) reached a $600,000 settlement with PIH Health, Inc. over a phishing attack. The breach exposed the electronic protected health information (ePHI) of over 189,000 individuals, violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Office for Civil Rights (OCR) handled the investigation, uncovering multiple violations of the HIPAA Privacy, Security, and Breach Notification Rules. The settlement agreement mandates that PIH implement a corrective action plan and adhere to it for two years.
The breach occurred in June 2019 when a phishing attack compromised the email accounts of 45 PIH employees. The stolen ePHI included sensitive data such as names, addresses, Social Security numbers, diagnoses, and financial information. OCR’s investigation found that PIH had failed to conduct a thorough risk analysis of ePHI vulnerabilities and did not notify affected individuals within the required 60 days.
The settlement also addresses these deficiencies in PIH’s HIPAA compliance practices.
Under the settlement terms, PIH must implement a corrective action plan and monitor its progress over two years. This plan includes conducting a risk analysis, creating a risk management plan, and ensuring that policies comply with HIPAA. PIH is also required to provide HIPAA-specific training to its workforce members with access to protected health information (PHI). OCR will closely monitor PIH’s actions to ensure compliance with these mandates.
The OCR encourages all covered entities under HIPAA to take proactive steps to secure ePHI and prevent future breaches. The agency recommends conducting thorough risk analysis, ensuring appropriate audit controls, and regularly training staff on HIPAA policies. It also emphasizes the importance of encryption and using secure methods to authenticate access to ePHI. By taking these precautions, healthcare organizations can better safeguard patient data against cyber threats.
Reference:
