Community Health Systems To Settle $5 Million to Resolve Multi-State Breach Case

Community Health Systems located in Franklin, TN, and its subsidiary CHSPCS LLC agreed to settle a multi-state action with 28 state attorneys general by paying out $5 M.

An investigation directed by Tennessee Attorney General Herbert H. Slatery III was started after a protected health information (PHI) breach that involves 6.1 million people in 2014. At that time, Community Health Systems owned, leased, or managed 206 affiliate hospitals. Based on a 2014 8-K filing with the U.S. SEC, a Chinese advanced persistent threat group hacked the health system then deployed malware on its computer networks to steal information. The hackers stole PHI such as names, addresses, telephone numbers, birth dates, sex, race, Social Security numbers, and emergency contact data.

The HHS’ Office for Civil Rights looked into the same breach and reported the end of last month that it has reached a settlement with CHSPCS concerning the breach. A $2.3 million fine was paid to take care of potential HIPAA violations found in the course of the breach investigation. Besides the financial fine, CHSPCS consented to follow a solid corrective action plan to handle privacy and security problems identified by OCR’s investigators.

Breach victims filed suit against CHS for their PHI theft and CHS took care of the class-action lawsuit last year by paying $3.1 million. The newest settlement implies CHS and its affiliates already spent $10.4 million over the breach.

The investigators discovered that CHS and its affiliates were unable to use acceptable and proper security measures to protect that the availability, confidentiality and integrity of protected health information on its systems. The conditions of this settlement will help make sure that patient data are secured from inappropriate use or disclosure.

The states partaking in the action were Arkansas, Alaska, Connecticut, Florida, Indiana, Iowa, Illinois, Kentucky, Louisiana, Michigan, Mississippi, Massachusetts, Missouri, Nevada, Nebraska, New Jersey, North Carolina, Oregon, Pennsylvania, Ohio, Rhode Island, South Carolina, Texas, Tennessee, Vermont, Utah, West Virginia and Washington.

Besides having to pay the finance charges, CHS and its affiliates made an agreement to take up a corrective action plan and carry out further security procedures to strengthen the security of its systems. The actions consist of creating a written incident response program, giving security awareness and privacy training to all employees having PHI access, restricting needless or improper access to systems that contain PHI, employing policies and methods for its business associates, and performing routine reviews of all business associates.

CHS should likewise perform a yearly risk assessment, employ and keep a risk-based penetration testing plan, use and maintain intrusion detection tools, data loss protection tools, and email filtering and anti-phishing programs. All system activity needs to be recorded, and those logs should be regularly evaluated for suspicious activity.

A spokesperson for CHS stated that the health system is happy to have taken care of this six-year-old issue. The company had set up solid risk controls and worked together with the FBI and constantly with its suggestions after knowing about the attack.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at