Community Health Systems To Pay $5 Million to Resolve Multi-State Action

Community Health Systems based in Franklin, TN and its subsidiary CHSPCS LLC agreed to resolve a multiple-state action with 28 state attorneys general by paying $5 million.

An investigation headed by Attorney General Herbert H. Slatery III of Tennessee began subsequent to a protected health information (PHI) breach involving 6.1 million persons in 2014. During that time, Community Health Systems had leased, or run 206 affiliated hospitals. As per a 2014 8-K filing with the U.S. Securities and Exchange Commission, a Chinese advanced persistent threat group attacked the health system and installed malware on its computer networks to steal data files. The attackers stole PHI including names, addresses, phone numbers, dates of birth, gender, ethnicity, Social Security numbers, and emergency contact details.

The HHS’ Office for Civil Rights investigated the same breach and declared late September that it has arrived at a resolution with CHSPCS regarding the breach. A $2.3 million penalty was spent to resolve potential HIPAA violations found in the breach investigation. Aside from the financial fine, CHSPCS accepted to take up a tough corrective action plan to deal with privacy and security issues identified by OCR’s investigators.

Breach victims took legal action against CHS because of the theft of their PHI and CHS resolved the class action lawsuit last 2019 for $3.1 million. The most recent settlement suggests CHS and its affiliates have paid out $10.4 million for breach settlements.

The investigators found that CHS and its affiliates did not set good and suitable security measures to secure that the confidentiality, availability and integrity of PHI on its systems. The provisions of this settlement will help guarantee that patient records are safeguarded from invalid use or disclosure.

The states taking part in the action were Arkansas, Alaska, Florida, Connecticut, Indiana, Illinois, Iowa, Kentucky, Louisiana, Michigan, Massachusetts, Mississippi, Missouri, Nevada, New Jersey, Nebraska, North Carolina, Oregon, Ohio, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, West Virginia and Washington.

Along with paying out the financial charges, CHS and its affiliates have agreed to undertake a corrective action plan and carry out more security options to reinforce the security of its systems. The procedures comprise of establishing a written incident response strategy, requiring security awareness and privacy training to all staff given access to PHI, reducing unneeded or unacceptable access to systems storing PHI, enforcing policies and measures for its business associates, and doing regular audits of all business associates.

CHS need to furthermore carry out an once-a-year risk assessment, employ and maintain a risk-based penetration testing process, utilize and maintain intrusion detection solutions, data loss protection programs, and email filtering and anti-phishing tools. All system activity should be logged, and those records have to be routinely checked for suspicious activity.

A spokesperson for CHS said that the health system is delighted to have settled this six-year-old problem. The company had implemented tougher risk controls and worked directly with the FBI and continually with its advice after learning about the attack.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at