WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with California-based PIH Health, Inc. for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The case stems from a 2019 phishing attack that exposed the unsecured electronic protected health information (ePHI) of nearly 190,000 individuals.
The breach, reported to OCR in January 2020, revealed that 45 employees’ email accounts were compromised in the attack, leading to unauthorized access to sensitive patient data. Information affected included names, Social Security numbers, addresses, medical diagnoses, lab results, and financial details. OCR’s investigation identified multiple HIPAA compliance failures, including inadequate risk analysis, failure to notify affected individuals within the required 60-day period, and lack of safeguards to prevent unauthorized disclosures of ePHI.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
Under the settlement, PIH Health agreed to pay $600,000 and implement a corrective action plan monitored by OCR for two years. The required measures include conducting a thorough risk analysis, developing risk management strategies, updating HIPAA-related policies and procedures, and providing workforce training on ePHI handling and protection.
OCR has also urged other healthcare entities to take steps to reduce cybersecurity risks, such as auditing information systems, encrypting ePHI, and continuously integrating lessons from past breaches into security protocols.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.