Getty Images/iStockphoto

CHS Settles with 28 States for $5M Over 2014 Data Breach of 6.1M

Just two weeks after settling with OCR for $2.3 million over its 2014 health data breach, Community Health Systems (CHS) reached a settlement of $5 million with 28 states.

Tennessee-based Community Health Systems (CHS) reached a $5 million settlement with 28 states to resolve an investigation into its massive data breach that impacted 6.1 million patients in 2014. 

The resolution follows a $2.3 million settlement with the Office for Civil Rights into the same security incident, announced just two weeks ago. CHS also entered into a two-year corrective action plan to resolve several potential HIPAA violations. 

The settlements stem from a hack launched by Chinese hackers that lasted from April 2014 and June 2014. The advanced persistent threat (APT) actors launched an advanced malware attack designed to obtain intellectual data. 

The hackers exfiltrated a host of sensitive patient information, including Social Security numbers, contact details, patient names, and dates of birth. It remains one of the largest healthcare data breaches to date. Patients soon filed a lawsuit against CHS for its security failings, which was settled out of court for $3.1 million in February 2019. 

The October 8 judgement will resolve the states’ investigation into the breach and will require CHS to pay the involved states $5 million, in total. CHS will also enter into an agreement to implement and maintain a comprehensive information security program with specific security requirements. 

The agreement stipulates CHS must develop, implement, and written security program designed to protect the security and integrity of protected health information, including administrative, technical, and physical safeguards. 

Those safeguards must include a policy of minimum necessary access “only to the extent... to accomplish its intended purpose to fulfill its regulatory, legal, and contractual obligations.” 

Further, CHS is required to implement and maintain password management policies and practices to manage access to user, service, and vendor accounts, including required strong and complex passwords and password rotations and prohibiting default, shared, group, or generic passwords. Passwords may also not be saved in plaintext.  

The health system must also implement and maintain reasonable controls to secure privileged credentials, leveraging multi-factor authentication and a Privileged Access Management tool – or “reasonably equivalent technology to gain access to credentials.”

The agreement also calls for an encryption requirement for personally identifiable information and PHI.  

“Provided, however, that any decision to transmit or store unencrypted PI or PHI shall be approved by the CISO, who shall conduct an appropriate risk assessment,” according to the agreement. It should be noted those standards are also required by HIPAA. 

Lastly, CHS must conduct an annual risk assessment, as well as a risk-based penetration testing program, email filtering, phishing solutions, intrusion detection, data loss protection, endpoint detection, logging, and whitelisting. CHS will also need to implement and maintain policies and procedures for its business associates. 

CHS is also required to employ an executive or officer whose full-time duty will be to implement, maintain, and monitor the security program. 

“CHS failed to implement and maintain reasonable security practices,” Iowa Attorney General Tom Miller said in a statement. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure.” 

“Settlements like this one promote improved security procedures in order to safeguard that information,” Nevada Attorney General Aaron Ford, said in a statement. “Even companies that have not been breached should review recent settlements in this arena and evaluate whether their policies and procedures for network security should be enhanced.” 

The agreements are between CHS and Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia. 

It’s been a rough legal year for CHS, which also settled a lawsuit with the Norfolk County Retirement System and other affected parties for $53 million over alleged Medicaid fraud after nearly a decade in court. The Department of Justice filed a complaint against CHS in January after the whistleblower lawsuit.

Next Steps

Dig Deeper on Cybersecurity strategies