A recent phishing incident at a California-based healthcare network, PIH Health, has affected nearly 190,000 individuals, leading to a settlement agreement of $600,000 with federal regulators. The breach, which occurred in 2019, was a result of a phishing attack that compromised 45 employee email accounts. The U.S. Department of Health and Human Services initiated an investigation into the breach after PIH Health filed a report seven months later in January 2020.
According to HIPAA regulations, healthcare entities are required to report breaches affecting 500 or more individuals to the HHS OCR within 60 days of discovery. In this case, PIH Health failed to meet this requirement, leading to further scrutiny by the federal agency. The phishing incident exposed sensitive electronic protected health information (ePHI) of the affected individuals, including personal details such as names, addresses, Social Security numbers, and medical information.
“Hacking is one of the most common types of large breaches reported to OCR every year,” stated Anthony Archeval, acting director of HHS OCR. He emphasized the importance of proactive measures to ensure compliance with HIPAA regulations and prevent unauthorized disclosure of patients’ health information. The investigation into PIH Health also uncovered other potential violations, such as improper use and disclosure of PHI and failure to conduct thorough security risk analysis.
As part of the resolution agreement, PIH Health has agreed to pay the $600,000 settlement and implement a corrective action plan under the oversight of HHS OCR for the next two years. The plan includes conducting a comprehensive risk analysis, developing a risk management strategy, revising policies to comply with HIPAA rules, and providing training to workforce members on HIPAA policies and procedures.
Despite repeated attempts to contact PIH Health for comment on the settlement, the organization has not responded. This enforcement action marks the 12th HIPAA case handled by HHS OCR in 2025. The timing of the resolution agreement, signed in January, indicates that it may be one of the few enforcement actions taken during the Trump administration, as most other cases were finalized under the Biden administration in the previous year.
Overall, the settlement with PIH Health serves as a reminder to healthcare organizations about the importance of timely breach reporting, HIPAA compliance, and proactive cybersecurity measures. By taking swift action to address deficiencies in compliance programs, entities can safeguard patient data and prevent future incidents of unauthorized data disclosure.