ARTICLE
12 June 2025

HHS Settles Potential HIPAA Violations For $600,000 After Phishing Attack

HB
Hall Benefits Law

Contributor

Hall Benefits Law logo
Strategically designed, legally compliant benefit plans are the cornerstone of long-term business stability and growth. As such, HBL provides comprehensive legal guidance on benefits in M&A, ESOPs, executive compensation, health and welfare benefits, retirement plans, and ERISA litigation matters. Responsive, relationship-driven counsel is the calling card of the Firm.
Explore Firm Details
The U.S. Department of Health and Human Services (HHS) has announced a $600,000 settlement with an entity covered by the Health Insurance Portability and Accountability Act of 1996...
United States Food, Drugs, Healthcare, Life Sciences
Hall Benefits Law
Your Author LinkedIn Connections

The U.S. Department of Health and Human Services (HHS) has announced a $600,000 settlement with an entity covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) following a phishing attack. The settlement involves PIH Health, Inc., a California-based health network.

The HHS Office of Civil Rights (OCR) began investigating the incident after receiving a report in January 2020 that a phishing attack had compromised the email accounts of 45 employees, resulting in a data breach of electronic protected health information (ePHI) for 189,000 individuals. Affected ePHI included names, addresses, birth dates, Social Security numbers, driver's license numbers, and health and financial information.

In its investigation, OCR found that the covered entity failed to:

  • Use or disclose PHI only as permitted by HIPAA;
  • Conduct a compliance risk analysis;
  • Establish preventative security measures; and
  • Provide notice of the breach to affected individuals, HHS, and the media within 60 days.

In addition to the $600,000 settlement, the entity must develop and implement a corrective action plan, which HHS will oversee for two years. The purpose of the corrective action plan is to assess ePHI risks and vulnerabilities and establish a written risk management plan. Furthermore, the entity must develop specific written policies and procedures concerning privacy and security to remain HIPAA-compliant and provide training to staff with access to PHI on HIPAA policies and procedures.

OCR recommends that HIPAA-covered entities take measures to mitigate the risks of cyberattacks, such as:

  • Determining where ePHI is located;
  • Revising business processes to include risk analysis and management;
  • Implementing audit controls;
  • Regularly reviewing information system activity;
  • Using authentication mechanisms to limit authorized users' access to ePHI;
  • Encrypting ePHI to guard against unauthorized access; and
  • Providing staff with regular, organization-specific HIPAA training.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Hall Benefits Law
Hall Benefits Law
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More