PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and financial information.
PIH notified the individuals and the Office for Civil Rights (OCR) of the incident in January 2020. OCR launched an investigation and found alleged violations of HIPAA’s privacy, security and breach notification rules.
In addition to the $600,000 settlement payment, PIH entered into a resolution agreement with OCR that required it to:
- Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
- Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
- Develop, maintain, and revise, as necessary, its written policies and procedures to comply with HIPAA rules.
- Train its workforce members who have access to PHI on HIPAA policies and procedures.
These requirements are essential to a HIPAA compliance program, and this settlement is a reminder for covered entities to update and maintain security risk assessments, analyses, and risk management plans to address risks and vulnerabilities on an ongoing basis.