June 2025
Natashia Wright, Associate Director, Benefits Compliance
The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently reached a settlement of $600,000 with a HIPAA-covered entity related to possible HIPAA privacy, security, and breach notification violations. The investigation followed a phishing attack that affected 45 employees’ email accounts and exposed the electronic protected health information (“e-PHI”) of over 189,000 individuals, including names, contact information, Social Security numbers, medical diagnoses, lab results, pharmaceutical interventionism, treatment and claim information, and certain financial information.
Employer Action Items
The OCR press release notes that “hacking is one of the most common types of large breaches reported to [HHS’s Office for Civil Rights] every year.” This and other resolution agreements demonstrate that HHS continues to focus on ransomware attacks, as well as the performance of risk analysis and management initiatives to combat the negative consequences associated with such cybercrime incidents. In particular, initiatives to address cybercrime events include the employer/covered entity’s performance of the following activities:
- Identify e-PHI storage and movement within and without the organization;
- Integration of the risk analysis into business processes;
- Implementation of audit controls to monitor system activities;
- Utilization of dual factor authentication for granting authorized access to e-PHI;
- Encryption of e-PHI during transmission and storage;
- Learning from past incidents and applying the outcomes of, and risk assessment operations for, the puprose of informing the entity’s security management posture; and,
- Providing regular and robust, job-specific training to officers, designated individuals, and HR personnel as mandated, consistent with the provision of HIPAA Privacy and Security Rules.
Summary
OCR initiated an investigation following the receipt of a breach report from PIH Health, a California healthcare network, in January of 2020. The breach report indicated that in June of 2019, a phishing attack compromised the email accounts of 45 employees. This incident resulted in the exposure of the unsecured e-PHI of 189,763 individuals. PIH Health reported that the e-PHI disclosed during the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, pharmaceutical interventionism, treatment and claims information, and financial information. OCR’s investigation revealed that PIH Health failed to:
- Use or disclose protected health information as required or allowed by the HIPAA Privacy Rule;
- Conduct a comprehensive risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by PIH; and,
- Notify affected individuals, the HHS Secretary, and the media within 60 days of discovering a breach of unsecured protected health information.
Under the terms of the entity’s HHS resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR over a two-year period, along with the payment of a civil monetary penalty equal to $600,000. The corrective action plan includes the following steps:
- Developing, maintaining, and revising, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules.
- Providing workforce training on HIPAA policies and procedures, and submitting certification (written or electronic), along with training dates, to HHS for approval.
- Conducting an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of its e-PHI.
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities, as identified in the entity’s risk analysis.
- Reviewing and revising the entity’s Risk Analysis to identify potential risks and vulnerabilities to PIH’s data, ensuring the protection of the confidentiality, integrity, and availability of e-PHI.
More Information
- The resolution agreement and corrective action plan;
- The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information;
- HHS Security Risk Assessment Tool;
- OCR Cybersecurity Video; and
- Cybersecurity and Infrastructure Security Agency (CISA) & HHS Cybersecurity toolkit.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
