HHS Announces $600,000 Settlement with Calif. Healthcare Network Over Data Breach
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $600,000 settlement with California health care network PIH Health, Inc. (PIH) Wednesday over a phishing attack that allegedly exposed electronic protected health information (ePHI) of almost 200,000 individuals.
Sign up for a free preview to unlock the rest of this article
After receiving a breach report from the California healthcare network in January 2020, the OCR conducted an investigation into the incident. The investigation found that in June 2019, 45 employee email accounts were compromised, and 189,763 individuals’ unsecured ePHI were breached.
The exposed ePHI prompted concerns about privacy, security and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA).
In addition to the fine, PIH must conduct a risk analysis, develop and implement a risk management plan and train workforce members on HIPAA compliance, among other things, as part of the settlement.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval in a press release. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”