Breach of 6 Million Records and Multiple HIPAA Failures Leads to $2.3 Million HIPAA Fine for Business Associate

The Tennessee-based management company CHSPSC LLC, a supplier of services to a range of different subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services, has been fined $2.3 million in relation to five potential violations of the HIPAA compliance rules.

The fine was made public this week by the Department of Health and Human Services’ Office for Civil Rights (OCR) and is the 10th HIPAA violation fine this year, and the 7th financial penalty to settle HIPAA violations to be announced in the past week.

The breach in question took place on April 10, 2014, when CHSPSC was attacked by a hacking group known as APT18. The attack in involved the use of compromised admin credentials which were obtained in a phishing attack.  The hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC did not spot the breach and were made aware of the intrusion by the Federal Bureau of Investigation on April 18, 2014.

The systems accessed by the attackers contained the electronic protected health information of 6,121,158 individuals, and the PHI was exfiltrated by the hackers. The data had been shared with CHSPSC through 237 covered entities that used CHSPSC’s services. The stolen data included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR kicked off an investigation into the breach and found systemic noncompliance with the HIPAA Security Rule. Despite being notified by the FBI in April 2014 that its systems had been infiltrated, the hackers remained active in its systems for 4 months, finally being removed in August 2014. During that period of time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a).

The failure to react to a known security incident between April 18, 2014 and June 18, 2014 and address damaging effects of the security breach, document the breach, and its outcome, was in breach of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had not completed an accurate and thorough security risk analysis to identify risks and vulnerabilities to ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and processes allowing access to information systems containing ePHI maintained by CHSPSC only by authorized individuals and software programs had not been put in place, in breach of 45 C.F.R. § 164.312(a).

Procedures had not been put in place to see to it that information system activity records such as logs and system security incident tracking reports were regularly reviewed, in breach of 45 C.F.R. § 164.308(a)(1)(ii)(D).

OCR Director Roger Severino said: “The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”

CHSPSC did not fight the imposition of the penalty and agreed to pay the financial penalty and adopt a corrective action plan covering all areas of noncompliance identified by OCR.

Author: Maria Perez