Whittier-based PIH Health Inc. has agreed to pay $600,000 to the federal government for failing to promptly disclose a 2019 phishing attack that compromised 45 employee email accounts and breached records belonging to 189,763 patients.

The settlement announced last week by the U.S. Department of Health and Human Services’ Office of Civil Rights doesn’t address a separate December 2024 cyber breach at PIH in which hackers claimed to have stolen 17 million confidential patient files.

The OCR is responsible for enforcing the Health Insurance Portability and Accountability Act, a federal law providing protections for health information.

The settlement resolves an investigation by OCR following a breach report from PIH in January 2020, about seven months after the phishing attack.

HIPAA regulations require covered entities to report breaches affecting protected health information within 60 days of discovering the breach.

“Hacking is one of the most common types of large breaches reported to OCR every year,” OCR Acting Director Anthony Archeval said in a statement. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”

PIH stated in a breach report that, in June 2019, a phishing attack compromised employee emails, exposing patients’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment, insurance claims, and financial information.

The OCR investigation found that PIH potentially committed multiple violations, including:

• Using or disclosing protected health information in a manner not permitted or required by HIPAA,
• Failing to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality and integrity of PIH’s email system.
• Failing to notify affected individuals, the Department of Health and Human Services, and the media of the cyber breach within 60 days of its discovery.

In addition to paying $600,000, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years.

Among the stipulations is a requirement that PIH implement a plan to address and mitigate security risks and vulnerabilities.

The corrective action plan requires PIH to take definitive steps toward resolving potential HIPAA violations, including addressing and mitigating security and confidentiality vulnerabilities of its email system.

PIH officials did not immediately respond to requests for comment regarding the settlement or whether it has notified the Department of Health and Human Services of a separate cyber attack on Dec. 1, 2024, alleged by hackers to have compromised more than 17 million patient records.

In that incident, hackers paralyzed phone and computer systems for weeks at PIH hospitals in Downey, Whittier and Los Angeles, along with associated urgent care centers, doctors’ offices, and an associated home health and hospice agency.

The Southern California News Group obtained a copy of a threatening typewritten letter purportedly faxed by the unidentified hackers to PIH outlining the scope of the attack.

The cyber thieves said PIH’s network was “highly vulnerable,” with data stored insecurely on servers. They also claimed to have stolen about 2 terabytes of files, documents and reports, including confidential patient diagnoses, test results, photos, and treatments.

The Department of Health and Human Services declined to say whether PIH is being investigated or faces financial penalties for the cyber attack that has sparked several lawsuits.