Pramote Lertnitivanit/istock via

OCR Settles With Business Associate CHSPSC for $2.3 Over Breach of 6M

CHSPSC, a Community Health Systems business associate, reported a breach of 6 million patients in 2019. The OCR audit found longstanding, systemic noncompliance with HIPAA.

The Department of Health and Human Services Office for Civil Rights reached a $2.3 million settlement with CHSPSC, which provides services to hospitals and clinics indirectly owned by Community Health Systems, after a data breach impacted more than 6 million patients in 2014. 

CHS owns over 200 hospitals across the country and is one of the largest hospital networks in the US. 

On April 10, 2014, the Chinese-backed advanced persistent threat group, APT18, stole administrative credentials from CHSPSC and remotely accessed the information system through its virtual private network (VPN), launching a malware payload and obtaining intellectual data. 

CHSPSC did not detect the breach until they were notified by the FBI eight days later on April 18. However, attacker activity remained on the system until August 18, 2014. 

The investigation revealed that 237 covered entities served by CHSPSC were affected by the breach. In total, the hackers exfiltrated the protected health information of 6.12 million patients. The data included names, Social Security numbers, sex, dates of birth, contact information, ethnicities and emergency contact details. 

By October 2014, several patients had filed lawsuits against CHS over the breach alleging they “failed to implement and follow basic security procedures, subjecting patients to identity thieves.” The parties reached a $3.1 million settlement in 2019. 

The OCR audit that followed revealed longstanding, systemic noncompliance with the HIPAA Security Rule, such as failure to conduct a risk analysis and to implement information system activity review, security incident procedures, and access controls. 

The audit named five potential HIPAA violations at CHSPSC, including failing to prevent unauthorized access to ePHI and failing to respond to and mitigate a known security incident and its effects. 

OCR also found CHSPSC did not implement technical policies and procedures to only allow access to individuals or software programs with granted access, nor did CHSPSC implement procedures to routinely review log records recording activity on its information systems, including audit logs, access reports, and security incident tracking reports. 

Further, CHSPSC failed to conduct accurate and thorough assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held in its system. 

“The healthcare industry is a known target for hackers and cyberthieves,” OCR Director Roger Severino, said in a statement. “The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.” 

In addition to the $2.3 million civil monetary penalty, CHSPSC has agreed to enter into a corrective action plan to ensure compliance with the HIPAA rules. CHSPSC is required to develop and submit to HHS a written plan to internally monitor compliance with the CAP. 

CHSPSC will need to conduct an accurate, thorough, enterprise-wide security risk analysis of all potential vulnerabilities to its electronic equipment, data systems, programs and applications that contain, store, transmit or receive ePHI.  

“For purposes of clarity, the Risk Analysis will exclude all electronic equipment, data systems, programs and applications that contain, store, transmit or receive ePHI solely at CHS Affiliates, but will include any interfaces, applications, and protocols from the CHS Affiliates to CHSPSC through which ePHI is transmitted from the CHS Affiliates to CHSPSC,” according to the resolution agreement. 

CHSPSC will need to develop a complete inventory of all connected devices and equipment, which OCR recently stressed can improve the HIPAA-required risk analysis, as well as review and revise policies and procedures for technical access controls for any and all software applications and network or server equipment and systems and information system activity review.

The CAP also requires CHSPSC to review and revise its policies and procedures for how it responds and reports security incidents, including mitigation and documentation methods. All employees will then need to be re-trained on all of these new policies and procedures, which must include a procedure for internal reporting. 

This is the second OCR settlement for potential HIPAA violations announced this week, after a lull amid the COVID-19 pandemic. On September 21, Athens Orthopedic Clinic reached a $1.5 million settlement with OCR over its 2016 data breach caused by the notorious hacking group known as “thedarkoverlord” (TDO). 

OCR’s investigation into the data breach found systemic noncompliance with HIPAA.

Next Steps

Dig Deeper on HIPAA compliance and regulation