Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with PIH Health, Inc. (PIH), a California healthcare network, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violations stem from a phishing attack that exposed unsecured electronic protected health information (ePHI), prompting concerns related to the Privacy, Security, and Breach Notification Rules under HIPAA. The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. OCR’s investigation found multiple potential violations of the HIPAA Rules. Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR.