On April 23, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $600,000 settlement with PIH Health, Inc. (PIH), a California-based healthcare network, to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules following a 2019 phishing incident affecting nearly 190,000 individuals. The settlement stems from an OCR investigation initiated after PIH submitted a breach report in January 2020, seven (7) months after the phishing attack had compromised forty-five (45) employee email accounts.
OCR’s investigation uncovered multiple potential violations of HIPAA, including the failure to notify affected individuals, the HHS Secretary, and the media within the sixty- (60-) day timeframe required under the Breach Notification Rule. The compromised data included highly sensitive information such as names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, and financial data. OCR also cited PIH’s failure to conduct a thorough security risk analysis and implement adequate safeguards to protect the confidentiality, integrity, and availability of its electronic protected health information (ePHI) and a failure to use or disclose protected health information (PHI) only as permitted or required by the Privacy Rule.
This settlement marks another enforcement action under the current administration and reflects OCR’s return to broader HIPAA enforcement beyond recent settlements under the Right of Access and Risk Analysis Initiatives.
Corrective Action Plan requirements are a targeted response to notification failures
In addition to the financial settlement, OCR imposed a Corrective Action Plan (CAP) on PIH, which includes provisions aimed at preventing future delays in identifying and reporting breaches. These include:
- Conducting a comprehensive risk analysis focusing on vulnerabilities to ePHI;
- Implementing a risk management plan tailored to identified gaps;
- Developing and revising breach notification policies and procedures; and
- Submitting implementation reports to OCR for review.
A broader enforcement posture
Compared to recent settlements with Guam Memorial Hospital Authority, Northeast Radiology, P.C., and Health Fitness Corporation, the PIH CAP is notable for its distinct emphasis on breach notification obligations. Recent CAPs have reflected a narrower enforcement focus aligned with OCR’s initiative-driven priorities, namely the Risk Analysis Initiative and the Right of Access Initiative. In contrast, the PIH CAP suggests a return to a more traditional HIPAA enforcement centered on breach response and organizational accountability.
This divergence may reflect not only the specific facts and compliance gaps identified in each matter, but also a broader signal from OCR that it intends to expand its enforcement beyond the targeted initiatives of the past few years. As a result, HIPAA-regulated entities should be prepared for increased scrutiny across the full range of HIPAA requirements—not just those emphasized in recent OCR initiatives.
Implications for HIPAA-regulated entities
The PIH settlement underscores the continuing importance of timely breach notification and comprehensive HIPAA compliance. Covered entities and business associates should not only ensure that they have robust patient access protocols and comprehensive security risk analyses, but also re-evaluate their breach response procedures to confirm that they meet the HIPAA requirements. As workforce members are key to identifying potential data breaches, HIPAA-regulated entities should ensure that any policy updates are communicated to the organization’s workforce.