Multi-State Breach Investigation Settled with Community Health Systems Paying $5 Million Penalty

Tennessee-based Community Health Systems and subsidiary CHSPCS LLC have settled a multiple-state action with 28 state attorneys general for $5 million. 

A joint investigation was launched headed by Tennessee Attorney General Herbert. H. Slatery III after a breach of the protected health information (PHI) of 6.1 million people in 2014. At the time, Community Health Systems owned, leased, or operated 206 hospitals. According to a 2014 8-K filing with the US Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group that installed malware onto its systems which was used to steal data. Names, telephone numbers, addresses, dates of birth, sex, ethnicity, emergency contact information and Social Security numbers were among the PHI stolen by the hacker group.

This same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement was reached with CHSPCS over the breach and a $2.3m penalty was paid to resolve any potential HIPAA violations discovered during the breach investigation. Adding to the financial penalty, CHSPCS has agreed to implement a robust corrective plan of action to address privacy and security issues discovered by OCR’s investigative team. 

The state attorneys general investigation revealed CHS and its affiliates failed to implement suitable and proper security measures to protect the confidentiality of protected health information on its computer systems.

“A patient’s personal information—especially health information—deserves the highest level of protection,” remarked Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

The settlement with the state attorneys general also requires the adoption of a corrective action plan. Community Health Systems and its subsidiary has agreed to develop a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates. CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, add and upkeep intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

States taking part in this action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

“Community Health Systems is pleased to have resolved this six-year old matter,” explained a spokesperson for CHS in a statement regarding the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit for $3.1m in 2019. That settlement, along with the financial penalties, mean CHS and its affiliates have paid a total of $10.4 million as a result of the breach.

Author: Maria Perez