US healthcare provider pays $5m in 2014 data breach settlement

4 years ago 150
BOOK THIS SPACE FOR AD
ARTICLE AD

John Leyden 09 October 2020 at 15:30 UTC

More than six million patient records were exposed

US healthcare provider Community Health Systems (CHS) has settled a long running legal fight by agreeing to pay $5m to settle legal claims against it over a 2014 data breach that affected more than six million patients.

Attackers broke into a records system maintained by an IT supplier to Community Health Systems and lifted the patient data of 6.21 million people back in August 2014.

The compromised records included names, Social Security numbers, physical addresses, birth dates, and telephone numbers – all useful information for potential identity thieves or other fraudsters.

Tennessee-based CHS owned, leased, or operated 206 hospitals/doctor’s clinics at the time of the breach. IT service firm CHSPSC managed the health information management and IT systems for CHS.

Insufficient action after FBI warning

The FBI warned CHSPSC that its systems were compromised in April 2014. CHSPSC failed to act in any meaningful way of this warning, setting up the bigger problems that followed.

Last month CHSPSC agreed to pay the US Department of Health and Human Services a $2.3 million fine. It also agreed to implement a corrective action plan in order to settle allegations that it violated the US Health Insurance Portability and Accountability Act (HIPAA).

Attackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network (VPN), an investigation by the Office for Civil Rights at HHS discovered.

Security auditors faulted the IT services firm for “systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls”.

A recently agreed judgment (PDF) requires CHS to make a $5 million payment to the Attorney Generals in the 28 US states that sued the healthcare provider.

CHS further agreed to “implement and maintain a comprehensive information security program” designed to safeguard against a repetition of the historic security failure.

“CHS failed to implement and maintain reasonable security practices,” said Iowa Attorney General Tom Miller, in a statement. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure.”

YOU MAY LIKE Data breach at Mississippi ambulance service exposes sensitive information of patients

Read Entire Article