April 23 (UPI) — A June 2019 phishing attack that compromised the personal information of 189,763 patients of California-based PIH Health will cost the healthcare provider $600,000, Health and Human Services officials announced Wednesday.
The HHS Office for Civil Rights investigated the June 2019 phishing attack after PIH Health network officials reported the system breach six months later, according to an HHS news release.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval.
“HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information,” Archeval added.
The OCR determined the healthcare provider is liable for Health Insurance Portability and Accountability Act provisions by exposing unsecured electronic protected health information for nearly 190,000 people, including 45 employees.
The breach resulted in unauthorized access to people’s Social Security numbers, names, addresses, dates of birth and driver’s license numbers.
The hackers also accessed people’s medical diagnoses, medication records, lab results, treatments, claims information and financial information.
The settlement resolves OCR accusations of HIPPA violations, including failing to use or disclose protected health information only as permitted, failing to conduct accurate and thorough risk analysis and failing to notify affected individuals, the HHS secretary and media within 60 days of discovering the records breach.
PIH Health officials have agreed to take corrective action to prevent additional breaches and will be monitored by the OCR for two years in addition to paying the $600,000 settlement.
A corrective action plan requires the healthcare provider to conduct thorough and accurate data risk assessments, develop and implement a risk-management plan to lessen security risks and revise policies and procedures as needed to comply with HIPAA regulations.
PIH Health officials did not respond to requests for comment made Wednesday afternoon.
