OCR levies $2.3M fine over massive breach affecting PHI of 6M people
The U.S. Department of Health and Human Services announced this week that CHSPSC, a Tennessee-based management company providing business associate services to hospitals and physician clinics indirectly owned by Community Health Systems, had agreed to pay $2.3 million to settle potential HIPAA violations.
According to the HHS Office for Civil Rights, the Federal Bureau of Investigations notified CHSPSC in April 2014 that it had flagged an “advanced persistent threat” to CHSPSC’s information system.
But the hackers continued to access the information through August of that year, according to the enforcement agency, and breached the protected health information of more than 6 million people.
CHSPSC has also agreed to a corrective action plan including two years of monitoring.
WHY IT MATTERS
Community Health Systems is one of the largest publicly traded hospital companies in the country, as measured by number of facilities. CHSPSC provides services – including IT, health information management, legal and compliance – to hospitals and clinics indirectly owned by CHS.
According to the action plan published on HHS’ website, in April 2014, a group of bad actors remotely accessed CHSPSC’s information system through its VPN. Eight days later, the FBI notified CHSPSC about the intrusion.
From April through August, the cyber criminals affected 237 covered entities served by CHSPSC and exfiltrated the PHI of more than 6 million people – including name, sex, date of birth, phone number, Social Security number, email and emergency contact information.
“OCR’s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls,” said the agency.
“Community Health Systems has long disputed the allegations of the OCR, including those contained in the press release. We settled these allegations without any admission of fault after a six-year investigation in which we provided OCR ample evidence that its allegations were inaccurate,” said Community Health Systems in a statement provided to Healthcare IT News.
