Introduction to the Settlement
Whittier-based PIH Health Inc. has agreed to pay $600,000 to the federal government for failing to promptly disclose a 2019 phishing attack that compromised 45 employee email accounts and breached records belonging to 189,763 patients.
The settlement announced last week by the U.S. Department of Health and Human Services’ Office of Civil Rights doesn’t address a separate December 2024 cyber breach at PIH in which hackers claimed to have stolen 17 million confidential patient files.
Background on HIPAA Regulations
The OCR is responsible for enforcing the Health Insurance Portability and Accountability Act, a federal law providing protections for health information. The settlement resolves an investigation by OCR following a breach report from PIH in January 2020, about seven months after the phishing attack. HIPAA regulations require covered entities to report breaches affecting protected health information within 60 days of discovering the breach.
Details of the Phishing Attack
“Hacking is one of the most common types of large breaches reported to OCR every year,” OCR Acting Director Anthony Archeval said in a statement. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.” PIH stated in a breach report that, in June 2019, a phishing attack compromised employee emails, exposing patients’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment, insurance claims, and financial information.
Violations of HIPAA
The OCR investigation found that PIH potentially committed multiple violations, including:
- Using or disclosing protected health information in a manner not permitted or required by HIPAA,
- Failing to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality and integrity of PIH’s email system.
- Failing to notify affected individuals, the Department of Health and Human Services, and the media of the cyber breach within 60 days of its discovery.
Corrective Action Plan
In addition to paying $600,000, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years. Among the stipulations is a requirement that PIH implement a plan to address and mitigate security risks and vulnerabilities. The corrective action plan requires PIH to take definitive steps toward resolving potential HIPAA violations, including addressing and mitigating security and confidentiality vulnerabilities of its email system.
Recent Cyber Attack
PIH officials did not immediately respond to requests for comment regarding the settlement or whether it has notified the Department of Health and Human Services of a separate cyber attack on Dec. 1, 2024, alleged by hackers to have compromised more than 17 million patient records. In that incident, hackers paralyzed phone and computer systems for weeks at PIH hospitals in Downey, Whittier and Los Angeles, along with associated urgent care centers, doctors’ offices, and an associated home health and hospice agency.
Investigation and Lawsuits
The Southern California News Group obtained a copy of a threatening typewritten letter purportedly faxed by the unidentified hackers to PIH outlining the scope of the attack. The cyber thieves said PIH’s network was “highly vulnerable,” with data stored insecurely on servers. They also claimed to have stolen about 2 terabytes of files, documents and reports, including confidential patient diagnoses, test results, photos, and treatments. The Department of Health and Human Services declined to say whether PIH is being investigated or faces financial penalties for the cyber attack that has sparked several lawsuits.
Conclusion
The settlement highlights the importance of prompt disclosure of cyber breaches and adherence to HIPAA regulations. The corrective action plan implemented by PIH aims to address and mitigate security risks and vulnerabilities, ensuring the protection of patient health information.
FAQs
Q: How much will PIH Health pay to the federal government for the 2019 phishing attack?
A: PIH Health will pay $600,000 to the federal government.
Q: How many patient records were breached in the 2019 phishing attack?
A: 189,763 patient records were breached.
Q: What is the HIPAA requirement for reporting breaches affecting protected health information?
A: Covered entities must report breaches within 60 days of discovering the breach.
Q: Is PIH being investigated for the December 2024 cyber attack?
A: The Department of Health and Human Services declined to comment on whether PIH is being investigated for the December 2024 cyber attack.
Originally Published: May 2, 2025 at 7:00 AM PDT
