October 24, 2020

Volume X, Number 298

Advertisement

October 23, 2020

Subscribe to Latest Legal News and Analysis

October 22, 2020

Subscribe to Latest Legal News and Analysis

October 21, 2020

Subscribe to Latest Legal News and Analysis

HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals

Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.

The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management services. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of over 6 million individuals. The information obtained included names, sex, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.

OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC. including failure to conduct a risk analysis as well as failures to implement information system activity review, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 274
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Jean Tomasco, Robinson Cole Law Firm, Hartford, Labor and Employment, Litigation Law Attorney
Counsel

Jean Tomasco's practice involves employer counseling and employment litigation, with an emphasis on the Employee Retirement Income Security Act (ERISA) and benefits litigation. She is a member of the firm’s Health + Benefits Litigation Team and its Labor, Employment, Benefits + Immigration Group.

Employee Benefits and Compensation Litigation

Jean has more than two decades of experience handling benefit claims litigation. She represents insurers, managed care organizations, and employers in benefit...

860-275-8323
Advertisement
Advertisement