A Tennessee firm that provides health data management services has agreed to pay the United States Office for Civil Rights (OCR) $2.3m to settle charges related to a data breach.
Charges were brought against Tennessee-based Community Health Systems (CHSPSC LLC) by 28 states after the personal health information (PHI) of millions of people ended up in the hands of cyber-criminals.
In April 2014, CHSPSC was notified by the Federal Bureau of Investigation that Chinese advanced persistent threat group APT18 had gained access to the company’s information system and was exfiltrating PHI. The hackers continued to access and exfiltrate the PHI until August 2014, despite the notice’s being sent.
CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. Community Health Systems owned, leased, or operated 206 affiliated hospitals at the time of the data breach.
A total of 6,121,158 individuals were impacted by the cyber-attack on CHSPSC. Data accessed by the threat group included names, birthdates, Social Security numbers, phone numbers, and addresses of patients.
The threat group accessed CHSPSC’s information system remotely, using compromised administrative credentials to get into the company’s virtual private network.
An investigation into the incident by OCR found long-standing, systemic noncompliance with the HIPAA Security Rule that included failures to implement information system activity review, security incident procedures, and access controls and a failure to conduct a risk analysis.
“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR director Roger Severino.
Yesterday, Tennessee attorney general Herbert Slatery III, along with the attorneys general of 27 other states, announced a settlement with Community Health Systems and its subsidiary, CHSPSC LLC. As part of the judgement, CHS has agreed to pay $5m to the states.
In addition to the monetary settlement, CHSPSC has agreed to protect patient data by implementing and maintaining a robust security program.