Community Health Systems Entity Pays $2.3M to Settle Breach Impacting 6M People

Sept. 25, 2020
OCR ‘s investigation found “longstanding, systemic noncompliance with the HIPAA Security Rule”

An entity of the Franklin, Tenn.-based Community Health Systems (CHS) has agreed to pay $2.3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.

The entity, CHSPSC, provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc.

According to OCR, in April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyber hacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals spanning across 237 entities served by CHSPSC, until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network, OCR stated.

OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.

CHS operates around 200 hospitals across the country and is one of the largest hospital networks in the U.S.

“The healthcare industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” OCR Director Roger Severino said in a statement.

In addition to the monetary settlement, CHSPSC has agreed to a robust corrective action plan that includes two years of monitoring.

Sponsored Recommendations

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...