HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals
Wednesday, September 30, 2020
HIPAA Violations in Tennessee
Print Mail Download i

Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.

The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management services. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of over 6 million individuals. The information obtained included names, sex, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.

OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC. including failure to conduct a risk analysis as well as failures to implement information system activity review, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman
Congress Introduces Promising Bipartisan Privacy Bill
by: Blair V. Robinson
HC3 Warns Health Sector About Social Engineering Attacks Against IT Help Desks
by: Linn F. Freedman
California Privacy Protection Agency Issues Advisory on Data Minimization
by: Kathryn M. Rattigan
FTC Ruling on Proposed Facial Recognition Safe Harbor under COPPA
by: Kathryn M. Rattigan
EPA Turns Up the Pressure on Chemical Release Prevention and Preparation
by: Brian C. Freeman , Emily C. Deans
HHS Updates Guidance on Use of Tracking Technologies with Websites and Mobile Apps
by: Linn F. Freedman
Convergent Outsourcing Settles Data Breach Class Action for $2.45 Million
by: Kathryn M. Rattigan

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins