Franklin, Tenn.-based Community Health Systems has agreed to pay $5 million to settle a 2014 data breach that affected about 6.1 million patients, according to an Oct. 8 Iowa justice department news release.
Five details:
1. In August 2014, a cyberhacking group gained access to CHS' business associate services entity's information system and stole the protected health information of 6.1 million patients.
2. At the time of the breach, CHS owned, leased or operated 206 affiliated hospitals. Patient information exposed as a result of the incident included names, Social Security numbers, birthdates and addresses.
3. The CHS associate, named CHSPSC, agreed to pay the Office for Civil Rights $2.3 million to settle the HIPAA breach, according to a Sept. 24 news release. OCR's investigation found that the company failed to conduct a risk analysis and implement access controls.
4. The Oct. 8 judgment requires CHS to pay $5 million to 28 states participating in the settlement. Those states are: Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.
5. In addition to the financial settlement, CHS also agreed to implement a new information security program with a written incident response plan, security awareness and privacy training for all employees who have access to protected health information and establish new policies for business associates.