A healthcare system has paid the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) $600,000 for a cyber incident.
PIH Health, Inc. (PIH) reported the hacking of 45 employee email accounts in 2020. According to the report, the incident resulted in “the breach of 189,763 individuals’ unsecured ePHI” in June 2019. Compromised information included patients’ names, addresses, birthdays, driver’s license and Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information, according to HHS.
Possible Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations revealed by OCR’s inspection were:
- “Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.”
- Not performing an “accurate and thorough risk analysis”
- Not informing the required people of the incident in a timely manner
In addition to paying OCR $600,000, PIH will participate in a “corrective action plan.”