A Community Health Systems entity that provides business associate services to hospitals and clinics agreed to settle violations related to a potential HIPAA breach for $2.3 million.
Four details:
1. CHSPSC will pay the Office for Civil Rights $2.3 million and adopt a corrective action plan to settle allegations it violated HIPAA. The company provides IT, health information management and other services to the hospitals and clinics owned by Franklin, Tenn.-based CHS.
2. The FBI noticed a cyberhacking group posed an advanced persistent threat to CHSPC's information system in April 2014 and gave notice to the company. However, the hackers were still able to access the company's system.
3. The hackers exfiltrated protected health information for 6.1 million people in August 2014 and used the compromised administrative credentials to remotely access the company's information systems through a virtual private network.
4. An ORC investigation found longstanding, systemic noncompliance with HIPAA's rules and the company failed to conduct a risk analysis and implement access controls.
More articles on cyberattacks:
2nd Nebraska health system reports computer outage in 2 days
Ransomware attack encrypts 30 servers at German hospital: 5 details
Patient sues BJC HealthCare over employee email hack: 4 details