Another Phishing Attack results in a $600,000 settlement

PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).

The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

  • Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
  • Training its workforce members who have access to PHI on its HIPAA policies and procedures.

Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.

Due to the high value of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.

In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.

Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.

What to do to prevent a Breach?

Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.

OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Integrate risk analysis and risk management into business processes regularly.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

HIPAA Audits and Penalties May Increase

2023 HIPAA audits and penalties may increase since the Department of Health and Human Services (HHS) has delivered their annual report to congress. They noted there have been significant increases in HIPAA complaints and large breaches. They also noted that there have not been increases in appropriations during the same time frame. The Office for Civil Rights (OCR) requested that the HITECH civil monetary penalty caps be increased in the HHS FY 2023 Discretionary A-19 Legislative Supplement that was sent to Congress. Prepare for more HIPAA audits and higher penalties.

The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including:

  • risk analysis and risk management
  • information system activity review
  • audit controls
  • access controls

The OCR Director Melanie Fontes Rainer stated, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Enforcement Process

The OCR is in charge of enforcing the HIPAA Rules. They start my investigating written complaints and conducting reviews to determine if the covered entity or business associates failed to comply with the HIPAA Rules. The OCR will only act upon complaints that meet certain requirements. These include:

  1. The violation must occur after the HIPAA Rules have been required.
  2. The complaint must be filed against an entity that is required to adhere to the HIPAA Rules.
  3. The complaint must describe the activity that violated the HIPAA Rules.
  4. The complaint must be filed within 180 days of the occurrence. The OCR may waive this requirement if the individual shows good cause for being unable to file within the time frame requirement.

The OCR must determine whether the complaint is eligible for enforcement action. If the case is not within the OCR’s jurisdiction, the case will be closed. If the complaint is eligible for enforcement action, the OCR often provides technical assistance to resolve the case without further investigation.

In addition, OCR’s compliance activities include conducting audits and providing education and support with the HIPAA Rules. When necessary, the OCR has authority to issue subpoenas to encourage cooperation with an investigation.

The OCR may also initiate a compliance review investigation when they learn that the breach was caused by the covered entity’s business associate and open a compliance review of the business associate.

Compliance Reviews

The HIPAA Rules provide that the Secretary may open compliance review investigations of covered entities and business associates based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity. Multiple complaints of the same or similar violations demonstrate systemic compliance deficiencies. These are typically investigated under one transaction for the purpose of achieving compliance.

Investigations

Once an investigation is initiated, the OCR will collect evidence through witness statements, interviews, requests for reports from the entity, and site visits. It is required by law that all entities involved must cooperate. If the event implicates criminal activity, the OCR may refer the complaint to the Department of Justice (DOJ). Keep in mind, if the DOJ declines the case, the OCR may review for potential civil violations and investigate the case.

Sometimes the OCR may determine there isn’t enough evidence to support the entity violated the HIPAA Rules. In these cases, the OCR will send a letter closing the case and explaining the results of the investigation.

In the cases where the OCR determines that the covered entity or business associate was not in compliance the OCR will generally try to resolve the case by obtaining voluntary compliance through corrective action which may include a resolution agreement.

Resolution Agreements

When the OCR discovers non-compliance due to willful neglect or where the scope and scope warrants additional enforcement action, the OCR will pursue a resolution agreement with a payment settlement amount. This also includes a corrective action plan (CAP). The OCR is willing to negotiate the terms of the resolution agreement and the payment amount may be reduced from the amount that they are actually liable for. The amount is based on the entity’s ability to pay, keep in mind, that may be quite different than what the entity thinks. Also, in most cases the resolution agreement includes the requirement to fix the issues and to be monitored for a period of time.

Civil Money Penalties (CMP)

If the entity involved is not able to reach a satisfactory agreement to resolve the issues or if the entity violates the resolution agreement, the OCR may pursue formal enforcement action. If a CMP is proposed the entity may request a hearing in which a Departmental administrative law judge decides if the CMP is warranted based on the evidence presented. Answering this is very important, if the entity does not request a hearing within 90 days of the OCR’s proposed determination, the OCR will issue a final determination and impose a CMP.

Audits

The HITECH Act requires HHS to perform periodic audits of covered entities and business associates to ensure they are compliant with the HIPAA Rules. These are known as random audits since they are not initiated by any incident.

The OCR did not initiate any audits in 2021 and is currently developing the criteria for implementing future audits.

What this means is… make sure your compliance efforts are documented and organized to ensure you will survive an audit without penalties.

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC