The U.S. Department of Health and Human Services (HHS) has announced a $600,000 settlement with an entity covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) following a phishing attack. The settlement involves PIH Health, Inc., a California-based health network.
The HHS Office of Civil Rights (OCR) began investigating the incident after receiving a report in January 2020 that a phishing attack had compromised the email accounts of 45 employees, resulting in a data breach of electronic protected health information (ePHI) for 189,000 individuals. Affected ePHI included names, addresses, birth dates, Social Security numbers, driver’s license numbers, and health and financial information.
In its investigation, OCR found that the covered entity failed to:
- Use or disclose PHI only as permitted by HIPAA;
- Conduct a compliance risk analysis;
- Establish preventative security measures; and
- Provide notice of the breach to affected individuals, HHS, and the media within 60 days.
- Determining where ePHI is located;
- Revising business processes to include risk analysis and management;
- Implementing audit controls;
- Regularly reviewing information system activity;
- Using authentication mechanisms to limit authorized users’ access to ePHI;
- Encrypting ePHI to guard against unauthorized access; and
- Providing staff with regular, organization-specific HIPAA training.
