CHS/Community Health Systems to Pay $5M for Data Breach

The settlement is over a 2014 data breach that affected approximately 6.1 million patients in 28 states.

CHS/Community Health Systems to Pay $5M for Data Breach

Twenty-eight states have won a multi-million-dollar judgement against Tennessee-based CHS/Community Health Systems Inc. and its subsidiary, CHSPSC LLC, over a 2014 data breach that affected approximately 6.1 million patients.

Last week it was announced that CHS/CHSI will pay nearly $5 million to Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and West Virginia.

The data breach exposed patients’ names, birthdates, social security numbers, phone numbers and addresses.

The company also agrees to:

  • Implement and maintain a comprehensive information security program to safeguard personal information and protected health information (PHI).
  • Develop a written incident response plan.
  • Incorporate security awareness and privacy training for all personnel who have access to PHI.
  • Limit unnecessary or inappropriate access to PHI.
  • Implement specific policies and procedures regarding business associates.

Kentucky will receive $82,345.42 of the settlement. North Carolina will be paid $200,737.17. Iowa will receive $38,895. Illinois will be paid more than $611,000. Indiana will be paid $300,831.

“This settlement returns more than $80,000 to the Commonwealth and establishes security standards that comply with Kentucky’s consumer protection laws,” said Kentucky Attorney General Daniel Cameron. “This is one example of how our Office of Consumer Protection works on behalf of Kentuckians to stop negligent business practices that jeopardize the security of their personal information.”

“When health care companies that have access to patients’ private and sensitive data don’t do enough to protect that data, they put patients at risk,” said North Carolina Attorney General Josh Stein. “I’m pleased that as a result of today’s judgment, CHS will do more to keep patients’ information secure.”

At the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals. It is one of the largest hospital networks in the United States.

The settlement follows a $2.3 million settlement by the Department of Health and Human Services for Civil Rights over the same security incident.

About the Author

Robin Hattersley Gray

Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online Summit Promo Campus Safety HQ