CHSPSC, LLC has agreed to pay $2.3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve possible violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
CHSPSC is a “business associate” as defined under federal rules and therefore is required to comply with HIPAA security rules. The management company provides services to subsidiaries and affiliates of Community Health Systems, Inc. Its services include assisting with legal, information technology, and compliance obligations.
The settlement results from a 2014 cyber-attack which affected more than six million people. In 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that “it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system.” The group is known as APT18.
APT18 utilized compromised administrative credentials “to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals” for nearly four months following the FBI’s notice. During this time, PHI was exposed including “name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.”
HHS’s investigation found numerous potential violations. Notably that CHSPSC potentially failed to prevent unauthorized access to the electronic PHI maintained in its network. It is also possible that CHSPSC failed to respond to and mitigate a known security threat during the four months of the cyber-attack.
In addition to the financial agreement, CHSPSC will also implement a corrective action plan. The corrective action plan includes two years of monitoring. Under the corrective action plan, CHSPSC will conduct a risk analysis and develop and implement a risk management plan. CHSPSC will also provide requisite training to its workforce members.
In the HHS press release OCR Director Roger Severino said, “The health care industry is a known target for hackers and cyberthieves.”
Severino continued, “The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”
