$2.3 Million HIPAA Penalty for Business Associate for 6 Million-Record Data Breach
The Community Health Systems business associate, CHSPSC LLC, has settled its HIPAA violation case with the HHS’ Office for Civil Rights (OCR) for $2.3 million.
CHSPSC LLC is a management company based in Tennessee that provides legal, compliance, accounting, operations, human resources, IT, and health information management services to subsidiary hospital operator companies and other affiliates of Community Health Systems.
CHSPSC was investigated by OCR after reporting a breach involving the electronic protected health information of 6,121,158 individuals. On April 18, 2014, the Federal Bureau of Investigation notified CHSPSC about a cyberattack conducted by an advanced persistent threat group called APT18. The hackers had gained access to CHSPSC systems a week previously, on April 10, 2014. CHSPSC was unaware that its systems had been breached.
Despite being notified about the breach in April, the hackers were not eradicated from its systems until August 2014. During that time they had access to, and exfiltrated, electronic protected health information (ePHI). OCR determined that the last evidence of APT18 network activity was August 18, 2014.
The ePHI of 6,121,158 individuals – name, sex, phone number, date of birth, email address, ethnicity, emergency contact information, Social Security number – was stolen by the hackers.
In addition to failing to prevent unauthorized access to the ePHI of more than 6 million individuals, OCR determined that there had been four other potential HIPAA violations.
CHSPSC had failed to respond to a known security breach between April 18, 2014 to June 18, 2014 and did not, to the extent practicable, mitigate the harmful effects of the breach and document the security incident and its outcome.
CHSPSC had not conducted accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
CHSPSC had not implemented policies and procedures requiring records of system activity to be reviewed. Audit logs, access reports and security tracking incident reports had not been checked.
CHSPSC had not implemented technical policies and procedures to allow access to ePHI only to authorized persons or software programs granted access rights to information systems maintained by CHSPSC.
It may not be possible to prevent all data breaches, but it is vital that any breach is detected quickly and mitigated. “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.
In addition to paying a $2.3 million financial penalty, CHSPSC is required to adopt a robust corrective action plan and will be closely monitored by OCR for two years to ensure continued compliance. CHSPSC settled the case with no admission of liability.
This is the 10th HIPAA fine to be imposed by OCR in 2020 and the largest financial penalty so far this year. It is also the 7th financial penalty to be announced by OCR in the past week.