CHS settles patient data breach for $5M

Franklin, Tenn.-based Community Health Systems has agreed to pay $5 million to settle a 2014 data breach that affected about 6.1 million patients, according to an Oct. 8 Iowa justice department news release.

Five details:

1. In August 2014, a cyberhacking group gained access to CHS’ business associate services entity’s information system and stole the protected health information of 6.1 million patients.

2. At the time of the breach, CHS owned, leased or operated 206 affiliated hospitals. Patient information exposed as a result of the incident included names, Social Security numbers, birthdates and addresses.

3. The CHS associate, named CHSPSC, agreed to pay the Office for Civil Rights $2.3 million to settle the HIPAA breach, according to a Sept. 24 news release. OCR’s investigation found that the company failed to conduct a risk analysis and implement access controls.

4. The Oct. 8 judgment requires CHS to pay $5 million to 28 states participating in the settlement. Those states are: Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

5. In addition to the financial settlement, CHS also agreed to implement a new information security program with a written incident response plan, security awareness and privacy training for all employees who have access to protected health information and establish new policies for business associates.

More articles on cybersecurity:
AdventHealth Orlando data incident affects info of 1,514 individuals
OCR settles HIPAA Right of Access case with Dignity Health for $160K
Ransomware attacks in healthcare doubled in Q3


© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.