OCR levies $2.3M fine over massive breach affecting PHI of 6M people
[Update: This story has been updated to include a statement from Community Health Systems.]
The U.S. Department of Health and Human Services announced this week that CHSPSC, a Tennessee-based management company providing business associate services to hospitals and physician clinics indirectly owned by Community Health Systems, had agreed to pay $2.3 million to settle potential HIPAA violations.
According to the HHS Office for Civil Rights, the Federal Bureau of Investigations notified CHSPSC in April 2014 that it had flagged an "advanced persistent threat" to CHSPSC's information system.
But the hackers continued to access the information through August of that year, according to the enforcement agency, and breached the protected health information of more than 6 million people.
CHSPSC has also agreed to a corrective action plan including two years of monitoring.
WHY IT MATTERS
Community Health Systems is one of the largest publicly traded hospital companies in the country, as measured by number of facilities. CHSPSC provides services – including IT, health information management, legal and compliance – to hospitals and clinics indirectly owned by CHS.
According to the action plan published on HHS' website, in April 2014, a group of bad actors remotely accessed CHSPSC's information system through its VPN. Eight days later, the FBI notified CHSPSC about the intrusion.
From April through August, the cyber criminals affected 237 covered entities served by CHSPSC and exfiltrated the PHI of more than 6 million people – including name, sex, date of birth, phone number, Social Security number, email and emergency contact information.
"OCR's investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls," said the agency.
"Community Health Systems has long disputed the allegations of the OCR, including those contained in the press release. We settled these allegations without any admission of fault after a six-year investigation in which we provided OCR ample evidence that its allegations were inaccurate," said Community Health Systems in a statement provided to Healthcare IT News.
"The Company responded promptly when it learned of the attack and worked closely with the FBI and consistent with the FBI's recommendations. Further, the Company had robust risk controls in place at the time of the attack, including those required by the HIPAA Rules. Regardless, we are pleased with the outcome and glad to finally put this to an end," the statement continued.
THE LARGER TREND
The $2.3 million is the latest in fines brought by HHS OCR as a result of potential violations of HIPAA.
Most recently, a Massachusetts health network, had to pay $70,000 after failing to provide medical records, a potential violation of the HIPAA Privacy Rule's right of access provision.
Although the breach at CHSPSC happened in 2014, the COVID-19 crisis has again shone a spotlight on the potential for bad actors to gain access to protected health information, with some security experts saying the pandemic has acted like "blood in the water" for cybercriminals.
Experts also note that any HIPAA-covered entity breach affecting more than 500 individuals will trigger a data request from OCR.
Although regulators don't have the resources to investigate every incident, the most recent BakerHostetler Data Security Incident Response Report noted that they are "asking harder questions, and their expectations are evolving."
ON THE RECORD
“The healthcare industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino in a statement.