On September 23, 2020, the Office for Civil Rights (OCR) within the U.S. The Department of Health and Human Services (HHS) announced that CHSPSC, LLC, or Community Health Systems, must pay a $2.3 million settlement after a data breach occurred that affected 6 million individuals. Here, Maryland, D.C., and Virginia attorneys at Eccleston & Wolf discuss the situation and importance of complying with HIPAA security measures.

CHSPSC Cyber Attack & Data Breach Affects Over 6 Million Individuals

CHSPSC provides business services such as accounting, human resources, information technology and health information management to hospitals and clinics. In April of 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that they had fallen victim to a cyber-attack. Through this attack, hackers compromised CHSPSC’s system and gained access to administrative credentials through a virtual private network.

Thereafter, the company still fell victim to additional attacks throughout August 2014, ultimately affecting the protected health information (PHI) of more than 6 million individuals. Some of the information that was disclosed included personal information such as name, date of birth, social security number, email address and emergency contact information.

Multiple Patients Filed Additional Lawsuits Against CHSPSC for Inadequate Security

While the original data breach for CHSPSC occurred in April of 2014, threatening activity was still detected in their internal systems through August 2014. This continuation of cybersecurity threats after CHSPSC was notified originally by the FBI sparked legal response from patients who believed CHSPSC could have prevented these attacks. Several of these patients filed lawsuits alleging that CHSPSC “failed to implement and follow basic security procedures, subjecting patients to identity thieves.” This resulted in a settlement of $3.1 million.

HIPAA Compliance Audit from OCR Results in $2.3 Million Settlement

The Office for Civil Rights, or OCR, conducted an audit after this $3.1 million settlement revealing longstanding, systematic noncompliance with HIPAA security rules, including access controls, strategic procedures for security incidents and proactive risk assessments. Additionally, OCR found that CHSPSC did not implement technical policies that prevented access to their internal platforms, nor did they continuously monitor access logs or security incidents within their software platforms.  Ultimately, the company agreed to pay an additional $2.3 million to OCR and to adopt/implement a corrective action plan to settle these alleged HIPAA violations.  The complete resolution agreement can be accessed here: https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf.

CHSPSC Enters Into Corrective Action Plan With Monitoring from HHS

The Corrective Action Plan, or CAP, is monitored by the Department of Health and Human Services (HHS). Through this plan, CHSPSC will be required to designate an individual with extensive knowledge of HIPAA regulations and compliance measures to serve as a representative. Furthermore, they must develop a written plan in compliance with the CAP to internally monitor security and HIPAA compliance. Finally, CHSPSC must revisit their current security policies and HIPAA standing, work with their designated representative and HHS to create an updated list of policies and procedures to create a training plan for employees. CHSPSC is also required to meet with HHS on a frequent basis to provide comprehensive updates and tangible results from the changes being made.

The Defense Team at Eccleston and Wolf

Providers, practitioners and business associates that deal with sensitive PHI must be mindful of HIPAA regulations and requirements for protecting and securing such information.  Otherwise, as exemplified above, potentially significant sanctions and penalties may result.  If you have questions about or are facing such a situation, please contact us at our Maryland, Virginia, or D.C. office to see how we can assist you.