Under the Trump administration, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced seven HIPAA settlements since February 20, 2025. See HIPAA Enforcement Continues Under Trump.

Four of them occurred in April, including two last week. On April 23, HHS announced a $600,000 settlement with PIH Health, Inc., a California health care network, over a breach caused by a phishing attack. Two days later, it announced a $25,000 settlement with Comprehensive Neurology, PC, a New York practice, due to a breach caused by ransomware.

PIH Health Had Multiple Potential Violations

This settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured electronic protected health information (ePHI). PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Privacy, Security, and Breach Notification Rules, including:

  • Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
  • Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
  • Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

  • Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
  • Training its workforce members who have access to PHI on its HIPAA policies and procedures.

Comprehensive Neurology Failed to do a Risk Analysis

This settlement resolves OCR’s investigation of a ransomware attack against Comprehensive.

In December 2020, OCR received a breach report from Comprehensive stating that ransomware had encrypted and rendered inaccessible its IT network, including all of its ePHI. Comprehensive noted that 6,800 individuals may have been affected.

The compromised ePHI included patient names, clinical information, health insurance information, demographic information, Social Security numbers, driver’s license, and state identification numbers. OCR’s investigation found that Comprehensive failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it held.

Under the settlement terms, Comprehensive agreed to implement a corrective action plan that OCR will monitor for two years and pay $25,000 to OCR. Under the corrective action plan, Comprehensive will be required to take specific steps toward resolving potential violations of the HIPAA Security Rule, including:

  • Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in its information systems;
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
  • Reviewing, and to the extent necessary, revising its written policies and procedures to comply with the HIPAA Rules; and
  • Training its workforce on its HIPAA policies and procedures.

Follow HIPAA to Avoid Penalties

Although there have been sweeping changes in many areas of government in Washington since President Trump came into office, HIPAA enforcement continues much as it did under prior administrations. Top enforcement priorities are HIPAA risk analysis, risk management, and training.

In addition to enforcement, cybersecurity risks are growing and continue to plague the healthcare industry. Following the HIPAA Security Rule is the strongest defense against hacking and ransomware.

If you need help choosing your next steps to strengthen your compliance, let The HIPAA E-Tool® be your guide.

Free HIPAA Checklist
What best describes you?