HHS Issues Yet Another Big HIPAA Breach-Related Fine$2.3 Million Settlement Is Second Announced This Week
For the second time this week, federal regulators have doled out a hefty financial penalty as a part of as HIPAA settlement after an investigation of a breach tied to a hacking incident.
Tennessee-based CHSPSC LLC, a unit of Community Health Systems Inc. that provides IT and health information services to the system's hospitals and clinics, has agreed to pay $2.3 million to settle a case tied to a 2014 breach affecting 6.1 million individuals.
CHS’s affiliates own, operate or lease 93 hospitals in 16 states, the company’s website notes.
In a statement Wednesday, the Department of Health and Human Services’ Office for Civil Rights says CHSPSC LLC has also agreed to adopt a corrective action.
OCR notes that in April 2014, the FBI notified CHSPSC that the Chinese advanced persistent threat group known as APT 18 had attacked the company’s systems. “Despite this notice, the hackers continued to access and exfiltrate the protected health information of [millions of] individuals until August 2014,” OCR says. “The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network."
OCR says its investigation found “longstanding, systemic noncompliance with the HIPAA Security Rule, including failure to conduct a risk analysis and failures to implement information system activity review, security incident procedures and access controls.”
Roger Severino, OCR director, notes in the statement: “The failure to implement the security protections required by the HIPAA rules, especially after being notified by the FBI of a potential breach, is inexcusable.”
APT 18 has been implicated in other cyberattacks, including those targeting cancer research centers (see Chinese APT Groups Target Cancer Research Facilities: Report).
The resolution agreement between OCR and CHSPSC notes that APT 18 exfiltrated patient names, dates of birth, phone numbers, Social Security numbers, email addresses and more.
Corrective Action Plan
Under a corrective action plan, CHSPSC has agreed to conduct and an enterprisewide analysis of security risks and vulnerabilities. CHSPSC will also:
- Review and revise its policies and procedures regarding technical access controls for all software applications and network or server equipment and systems to ensure authorized access is limited to the minimum amount necessary and to prevent impermissible access and disclosure of ePHI;
- Update its policies and procedures regarding regular review of audit logs, access reports and security incident tracking reports;
- Revise its security incident procedures and response practices;
- Review and revise its policies and procedures regarding password management, specifically relating to password strength and safeguarding;
- Distribute the approved updated policies and procedures to all relevant CHSPSC workforce members and provide workforce training.
Neither CHSPSC nor CHS immediately responded to Information Security Media Group’s request for comment on the settlement.
In the years leading up to the cyberattack, Community Health Systems experienced “explosive growth through mergers and acquisition,” says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
“The HIPAA Security Rule requires that organizations handling PHI take appropriate steps to continually assess its risk-based information security safeguards when there are significant changes in the business and information technology environment,” he says. “The experience of CHS’ and its corporate managed service provider’s failure to effectively manage change should serve as a cautionary tale to others in a healthcare industry that is seeing tremendous consolidation and activity through mergers and acquisitions.”
The size of the penalty paid by CHSPSC is a result of OCR finding the organization failed to implement a reasonable risk-based information security program, he adds. “These failures prevented the covered entity from discovering that access to the information system had been compromised.”
In 2019, CHS reached a $3.1 million settlement in a class action lawsuit related to the breach (see: Settlement Reached in Community Health System’s Breach).
The $2.3 million settlement with CHSPSC is the largest HIPAA fine levied by OCR so far this year.
On Monday, OCR announced a $1.5 million financial settlement, including an extensive corrective action plan, with Georgia-based Athens Orthopedic Clinic.
Last week, OCR announced five smaller HIPAA settlements with healthcare organizations stemming from complaints about a lack of patient access to their healthcare information (see: Fines Tied to Failure to Provide Patient Records).