Latest Settlement: $5 Million Paid to 28 States
A 2014 data breach at Community Health Systems that exposed the protected health information of 6.1 million individuals has led to another round of government penalties. This time, the Franklin, Tennessee-based company has agreed to pay $5 million for a settlement with 28 state attorneys general.
The settlement announced Thursday comes on the heels of a CHS subsidiary agreeing last month to pay $2.3 million to the Department of Health and Human Services in a HIPAA settlement stemming from the same health data breach (see HHS Issues Yet Another Big HIPAA Breach Related Fine).
And in 2019, CHS reached a $3.1 million settlement of a class action lawsuit related to the breach (see: Settlement Reached in Community Health System’s Breach).
In a 2014 8-K filing with the U.S. Securities and Exchange Commission, the hospital chain said an advanced persistent threat group originating from China used malware to bypass CHS’s security measures and copy and transfer certain information.
The Connecticut attorney general’s office noted that at the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals.
“Although none of the hospitals were located in Connecticut, 4,746 Connecticut residents were impacted by the breach. Exposed in the breach were the names, birthdates, Social Security numbers, phone numbers, and addresses of patients,” the statement says.
In addition to the financial penalty, the multistate settlement requires CHS to implement and maintain “a comprehensive information security program reasonably designed to safeguard personal information and PHI, which will include specific information security requirements.”
Those measures include developing a written incident response plan, providing security awareness and privacy training for all personnel who have access to PHI, limiting unnecessary or inappropriate access to PHI and implementing policies and procedures regarding business associates, the Connecticut state attorney general’s statement notes.
CHS business unit CHSPSC’s recent $2.3 million settlement with HHS OCR also includes a corrective action plan requiring the organization to improve its security practices. CHSPSC provides IT and health information services to CHS’s hospitals and clinics.
“State attorneys general are clearly becoming more aggressive on these issues.”
—Iliana Peters of Polsinelli
“Community Health Systems had an obligation to safeguard the personal information of their patients and they failed. This settlement includes a significant financial penalty and puts in place strong new protections to ensure patients’ personal information is secure going forward,” said Connecticut Attorney General William Tong.
A spokeswoman for the Connecticut attorney general’s office says the state’s share of the settlement is nearly $38,000.
Tennessee was the lead state in the action against CHS. The incident affected 450,000 individuals in that state, which will receive nearly $667,000 from the settlement, a spokeswoman for the Tennessee’s attorney general’s office says.
In a statement, Tennessee Attorney General Herbert Slatery noted: “A patient’s personal information – especially health information – deserves the highest level of protection. This settlement will require CHS to provide that moving forward.”
In another recent multistate settlement, 41 states plus Washington, D.C., signed a $48 million settlement with health insurer Anthem tied to its 2014 data breach that affected nearly 79 million individuals (see: Anthem Hit with $48 Million in Additional Breach Penalties).
State and Federal Action
The CHS and Anthem cases illustrate that security mishaps can result in penalties at both the state and federal levels.
“It’s crucial that HIPAA covered entities and business associates understand that their legal risk related to data privacy, security and breaches results not only from HIPAA and the HHS Office for Civil Rights, but also from specific state laws and the state attorneys general, who are clearly becoming more aggressive on these issues,” says privacy attorney Iliana Peters of the law firm Polsinelli.
“The potential violations of law cited in the appendices to the state complaints and the judgment are all state law violations. In other words, the state AGs are not citing HIPAA violations, but rather violations of state law requirements,” she notes.
“Because of the patchwork of state laws on data privacy, security and breach, and because most entities don’t understand that compliance with such laws is required not based on where the entities do business, but rather on whose residents’ data they process, compliance with such laws is generally not well understood by such entities.”
State attorneys general are “clearly responding to fears raised by citizens who are concerned about becoming victims of identity theft and fraud,” notes privacy attorney David Holtzman of the consulting firm HITPrivacy LLC.
“Today we are plagued with ransomware threats that are taking advantage of information systems that are not being assessed to see if they have adequate safeguards to protect personal information or have not been patched or updated against known threats, all of which exposes the health and financial information of consumers to vulnerabilities.”