Tennessee Attorney General Herbert H. Slatery III has announced a $5 million settlement has been reached with Community Health Systems and its affiliate CHSPCS LLC to close the investigation into the 2014 data breach that resulted in the theft of the protected health information of 6.1 million individuals’ protected health information. The financial penalty will be shared with all 28 states that participated in the investigation.
At the time of the breach, Community Health Systems owned, leased, or operated 206 hospitals across the United States. An advanced persistent threat group operating out of China evaded its security measures and gained access to its network and installed malware. The malware enabled the threat group to exfiltrate patient data such as patient names, contact information, dates of birth, Social Security numbers, and other sensitive information.
28 states – Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia – participated in the investigation of the breach, with the investigation led by Tennessee.
Security failures were identified at Community Health Systems which were exploited to gain access to the electronic protected health information stored on its systems and there were insufficient measures in place to detect and contain the breach. Under the terms of the settlement, in addition to the $5 million financial penalty, Community Health Systems has agreed to adopt a comprehensive corrective action plan to improve the security of its systems and ensure that PHI is properly protected.
The corrective action plan includes developing and implementing a written incident response plan, conducting annual risk assessments, implementing risk-based penetration testing, improving email filtering and anti-phishing measures, implementing intrusion detection and data loss protection systems, limiting unnecessary or inappropriate access to systems containing PHI, logging security and event information and reviewing those logs for suspicious activity, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for all business associates, and conducting regular audits of its business associates.
“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”
The settlement comes a matter of days after the HHS’ Office for Civil Rights announced it had settled its HIPAA violation case with CHS subsidiary CHSPCS for $2.3 million. Last year CHS settled a class action lawsuit filed on behalf of victims of the breach for $3.1 million.