Twenty-eight states have won a multi-million-dollar judgement against Tennessee-based CHS/Community Health Systems Inc. and its subsidiary, CHSPSC LLC, over a 2014 data breach that affected approximately 6.1 million patients.
Last week it was announced that CHS/CHSI will pay nearly $5 million to Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and West Virginia.
The data breach exposed patients’ names, birthdates, social security numbers, phone numbers and addresses.
The company also agrees to:
- Implement and maintain a comprehensive information security program to safeguard personal information and protected health information (PHI).
- Develop a written incident response plan.
- Incorporate security awareness and privacy training for all personnel who have access to PHI.
- Limit unnecessary or inappropriate access to PHI.
- Implement specific policies and procedures regarding business associates.
Kentucky will receive $82,345.42 of the settlement. North Carolina will be paid $200,737.17. Iowa will receive $38,895. Illinois will be paid more than $611,000. Indiana will be paid $300,831.
“This settlement returns more than $80,000 to the Commonwealth and establishes security standards that comply with Kentucky’s consumer protection laws,” said Kentucky Attorney General Daniel Cameron. “This is one example of how our Office of Consumer Protection works on behalf of Kentuckians to stop negligent business practices that jeopardize the security of their personal information.”
“When health care companies that have access to patients’ private and sensitive data don’t do enough to protect that data, they put patients at risk,” said North Carolina Attorney General Josh Stein. “I’m pleased that as a result of today’s judgment, CHS will do more to keep patients’ information secure.”
At the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals. It is one of the largest hospital networks in the United States.
The settlement follows a $2.3 million settlement by the Department of Health and Human Services for Civil Rights over the same security incident.