Community Health Systems Professional Services Corporations (CHSPSC), LLC
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
In 2014, Community Health Systems Professional Services Corporation (CHSPSC), LLC, experienced a significant data breach that impacted approximately 6.1 million patients. This breach was a result of a cyberattack by Chinese hackers who utilized advanced malware to access and exfiltrate patient data, including names, birthdates, Social Security numbers, phone numbers, and addresses, between April and June 2014. Notably, credit card details and medical data were not compromised in this breach[1][6].
Following the breach, CHSPSC faced legal and financial repercussions. The company agreed to pay $5 million to settle investigations by 28 state attorneys general into the breach. This settlement was announced in October 2020 and was part of a broader effort to address the fallout from the breach, which also included a $3.1 million settlement of a class action lawsuit with affected patients in February 2019[1].
Additionally, CHSPSC agreed to a $2.3 million settlement with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) for violations related to the breach. This settlement was announced in September 2020 and was notable for being one of the largest HIPAA violation fines of that year. The OCR’s investigation found systemic noncompliance with the HIPAA Security Rule at CHSPSC, including failures in implementing information system activity review, security incident procedures, access controls, and conducting a risk analysis[6][10].
As part of the settlements, CHSPSC was required to implement and maintain a comprehensive information security program designed to safeguard personal and protected health information. This program includes specific security measures such as developing a written incident response plan, incorporating security awareness and privacy training for all personnel with access to protected health information, limiting unnecessary or inappropriate access to such information, and implementing policies and procedures regarding business associates[1][6].
These legal and financial settlements underscore the significant consequences of failing to protect sensitive patient information and the importance of adhering to data protection regulations such as HIPAA. They also highlight the growing threat of cyberattacks on healthcare organizations and the need for robust cybersecurity measures to protect against such threats.
Citations:
- https://www.fiercehealthcare.com/tech/chs-to-pay-5m-to-28-states-to-settle-2014-data-breach
- https://attorneygenerallynnfitch.com/2020/10/08/ag-fitch-obtains-judgment-in-community-health-systems-data-breach/
- https://www.bizjournals.com/nashville/news/2023/02/14/cyber-attack-exposes-data-of-chs-patients-forta.html
- https://www.hipaajournal.com/march-2023-healthcare-data-breach-report/
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/chspsc/index.html
- https://www.infosecurity-magazine.com/news/chspsc-agrees-2m-data-breach/
- https://www.databreaches.net/community-health-systems-estimates-1-million-patients-impacted-by-vendors-goanywhere-breach/
- https://www.naplesnews.com/story/news/2023/05/11/more-than-1-2-million-patients-face-risks-after-data-breach-at-chs/70198714007/
- https://www.hipaajournal.com/community-health-systems-pays-5-million-to-settle-multi-state-breach-investigation/
- https://www.hipaajournal.com/business-associate-fined-2-3-million-for-breach-of-6-million-records-and-multiple-hipaa-failures/
- https://www.scag.gov/about-the-office/news/attorney-general-alan-wilson-obtains-judgment-resolving-community-health-systems-data-breach-investigation/
- https://www.lanereport.com/131716/2020/10/attorney-general-announces-nearly-5-million-multi-state-settlement-with-chs-community-health-systems-inc-for-data-security-breach/
- https://www.tn.gov/attorneygeneral/news/2020/10/8/pr20-44.html
- https://www.campussafetymagazine.com/news/chs-community-health-systems-to-pay-5m-for-data-breach/
- https://williamsonsource.com/franklin-based-health-company-experiences-cyber-attack-exposes-info-of-1m-patients/
- https://www.pahomepage.com/news/data-breach-impacts-community-health-systems-hospitals/
- https://www.myfloridalegal.com/newsrelease/judgment-obtained-resolving-data-breach-investigation
- https://www.idstrong.com/data-breaches/chspsc-llc-breach/
- https://ncdoj.gov/attorney-general-josh-stein-announces-5-million-settlement-with-community-health-systems/
- https://www.bankinfosecurity.com/chs-to-notify-1-million-in-breach-linked-to-software-flaw-a-21405
- https://www.careersinfosecurity.com/more-breach-fines-for-community-health-systems-a-15142