Lexology May 2, 2025
Hunton Andrews Kurth LLP

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a HIPAA enforcement action against PIH Health, Inc. (“PIH”), a California-based health care network, following a phishing attack that exposed patients’ electronic protected health information (“ePHI”). The settlement highlights OCR’s continued focus on ensuring that covered entities implement robust security programs capable of identifying and mitigating threats to ePHI.

The investigation stemmed from a breach report submitted by PIH in January 2020, which disclosed that in June 2019, a phishing attack had compromised the email accounts of 45 employees. The attack resulted in the unauthorized disclosure of unsecured ePHI belonging to 189,763 individuals, including names, addresses, dates of birth, driver’s license numbers, Social...

Today's Sponsors

Venturous
ZeOmega

Today's Sponsor

Venturous

Continue Reading

 
Topics: Govt Agencies, HIPAA, Provider
Related Articles:
OCR Kicks Off 2026 with Reminders about "System Hardening" for HIPAA Covered Entities
Providers Evaluate Security as Updated HIPAA Compliance Looms
Updates to HIPAA Notice of Privacy Practices Required by February 16, 2026
How Healthcare Organizations Can Navigate Security Changes Linked to HIPAA Updates
Preparing for the HIPAA Security Rule Update

Share Article