Tennessee Health Data Management Firm Agrees to $2m Data Breach Settlement

A Tennessee firm that provides health data management services has agreed to pay the United States Office for Civil Rights (OCR) $2.3m to settle charges related to a data breach. 

Charges were brought against Tennessee-based Community Health Systems (CHSPSC LLC) by 28 states after the personal health information (PHI) of millions of people ended up in the hands of cyber-criminals. 

In April 2014, CHSPSC was notified by the Federal Bureau of Investigation that Chinese advanced persistent threat group APT18 had gained access to the company’s information system and was exfiltrating PHI. The hackers continued to access and exfiltrate the PHI until August 2014, despite the notice's being sent. 

CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. Community Health Systems owned, leased, or operated 206 affiliated hospitals at the time of the data breach.

A total of 6,121,158 individuals were impacted by the cyber-attack on CHSPSC. Data accessed by the threat group included names, birthdates, Social Security numbers, phone numbers, and addresses of patients. 

The threat group accessed CHSPSC’s information system remotely, using compromised administrative credentials to get into the company's virtual private network. 

An investigation into the incident by OCR found long-standing, systemic noncompliance with the HIPAA Security Rule that included failures to implement information system activity review, security inciden ..

Support the originator by clicking the read the rest link below.