CHS to pay $5M to 28 states to settle 2014 data breach

Franklin, Tennessee-based Community Health Systems will pay $5 million to settle investigations into a 2014 data breach that impacted 6.1 million patients.

CHS and an associate, CHSPSC, agreed to pay the settlement to 28 state attorneys general, according to a press release issued by Iowa Attorney General Tom Miller Thursday.

At the time of the 2014 data breach, CHS owned, leased, or operated 206 affiliated hospitals. Exposed in the breach were the names, birthdates, Social Security numbers, phone numbers and addresses of patients, according to a petition filed in Polk County District Court (PDF).

In August 2014, CHS officials confirmed to the Securities and Exchange Commission that the data of 4.5 million patients was compromised between April 2014 and June 2014 due to a malware attack.

RELATED: Community Health Systems hack compromises info for 4.5 million patients

According to officials, Chinese hackers leveraged an advanced persistent threat with advanced malware, solely focused on obtaining intellectual data. The hackers exfiltrated patient names, Social Security numbers, addresses, dates of birth, and phone numbers. Credit card details and medical data were not breached. 

In February 2019, CHS settled a class action lawsuit with patients impacted by the breach for $3.1 million. 

As part of the judgment (PDF), CHS also agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information, which will include specific information security requirements, according to the press release.  

“CHS failed to implement and maintain reasonable security practices,” Miller said in a statement. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure.”

RELATED: UHS breach shows the dangers facing hospitals with growing ransomware threats

Specific information security measures contained in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to protected health information; to limit unnecessary or inappropriate access to protected health information and to implement specific policies and procedures regarding business associates.

In addition to Iowa, other states participating in this settlement include Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and West Virginia.