HIPAA business associate pays $2.3 million to settle breach affecting more than 6 million individuals

CHSPSC, LLC, a business associate providing services such as IT and HIM to hospitals and physician clinics owned by Community Health Systems in Franklin, Tennessee, agreed to pay $2.3 million to the Office for Civil Rights (OCR) and to adopt a corrective action plan to settle potential HIPAA violations.

The potential violation stems from a 2014 security incident. In April 2014, the FBI notified CHSPSC that it had traced an advanced persistent cyberhacking threat to CHSPCS’s information system. However, hackers continued to access protected health information (PHI) from the system and ultimately discovered the PHI of 6,121,158 individuals, according to OCR. The hack, which was carried out through the use of compromised credentials, continued until August 2014.

OCR said its investigation found longstanding, systemic noncompliance with the HIPAA Security Rule. The potential violations included a failure to conduct a risk analysis and a failure to implement information system activity reviews, security incident procedures, and access controls.

In addition to the $2.3 million payment, CHSPSC agreed to implement an extensive corrective action plan. The plan includes two years of monitoring, an accurate enterprise-wide analysis of security risks and vulnerabilities, a revision of policies and procedures regarding technical access controls for any and all software applications and network or server equipment and systems, the adoption and distribution of the policies and procedures, and training to its entire workforce.

The proposed training materials must be submitted to HHS for review within 210 days. Once HHS approves the materials, training must be administered within 14 days.

The resolution agreement does not represent an admission of liability by CHSPSC.