The HHS’ Office for Civil Rights (OCR) reported the 6th financial penalty for 2025 involving alleged HIPAA Rules violation. Health care network PIH Health in California consented to resolve the HIPAA violations by paying $600,000 in financial penalty.
In June 2019, a data breach occurred that prompted an investigation, but no breach report was submitted to OCR until January 10, 2020. Hackers used a targeted phishing campaign to access the email accounts of 45 employees from June 11 to June 21, 2019. The email accounts held the electronic protected health information (ePHI) of 189,763 individuals, such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, diagnoses, laboratory results, prescribed medicines, treatment data, and financial details.
The breach sticks out because of the number of email accounts involved in the attack and the late issuance of notifications to the HHS and the impacted persons. OCR’s investigation discovered multiple HIPAA violations of HIPAA Rules, such as the HIPAA Security Rule, HIPAA Privacy Rule, and HIPAA Breach Notification Rule.
Under the HIPAA Privacy Rule, uses and disclosures of protected health information (PHI) are restricted. OCR confirmed the impermissible disclosure of 189,763 individuals’ PHI to the threat actor after a successful phishing attack. The HIPAA Security Rule requires covered entities to perform an accurate and complete risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI. OCR found out that PIH Health did not perform a HIPAA-compliant risk analysis.
The HIPAA Breach Notification Rule requires covered entities to notify the HHS Secretary and the impacted individuals about a breach of unsecured PHI. When a breach impacts over 500 persons, the covered entity must publish a notice via media in the residential area of the impacted persons. All notifications should be sent without undue delay and not over 60 days after the date of discovering the breach. OCR discovered that PIH Health violated the three notification requirements.
OCR informed PIH Health regarding the results of the investigation, including the potential financial penalty, and offered PIH Health the chance to resolve the issue informally. PIH Health decided to pay $600,000 as financial penalty to settle the alleged HIPAA violations and implement a corrective action plan for total compliance with the HIPAA laws. PIH Health’s compliance with the corrective action plan is under the supervision of OCR for two years.
Based on the corrective action plan, PIH Health needs to perform a complete and appropriate risk analysis, create a risk management plan to minimize any risks and vulnerabilities discovered and limit them to a low and appropriate level, create and follow written guidelines and procedures to adhere to the HIPAA Rules, and provide updated HIPAA training to employees regarding those policies and procedures. The enforcement action serves to warn HIPAA-covered entities regarding the necessity of following the Breach Notification law promptly.
With this big settlement amount, OCR’s total funds collected from enforcement actions in 2025 reached over $2 million.
