Skip to main content

Analysis

HIPAA Business Associate Pays $2.3M to Settle Breach Affecting More Than 6M

By Revenue Cycle Advisor  
   September 29, 2020

The hack, which was carried out through the use of compromised credentials, continued until August 2014.

A version of this article was first published September 29, 2020, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

CHSPSC, LLC, a business associate providing services such as IT and HIM to hospitals and physician clinics owned by Community Health Systems in Franklin, Tennessee, agreed to pay $2.3 million to the Office for Civil Rights (OCR) and to adopt a corrective action plan to settle potential HIPAA violations.

The potential violation stems from a 2014 security incident. In April 2014, the FBI notified CHSPSC that it had traced an advanced persistent cyberhacking threat to CHSPCS’s information system.

However, hackers continued to access protected health information (PHI) from the system and ultimately discovered the PHI of 6,121,158 individuals, according to OCR.

The hack, which was carried out through the use of compromised credentials, continued until August 2014.

OCR said its investigation found longstanding, systemic noncompliance with the HIPAA Security Rule.

The potential violations included a failure to conduct a risk analysis and a failure to implement information system activity reviews, security incident procedures, and access controls.

In addition to the $2.3 million payment, CHSPSC agreed to implement an extensive corrective action plan.

The plan includes two years of monitoring, an accurate enterprise-wide analysis of security risks and vulnerabilities, a revision of policies and procedures regarding technical access controls for any and all software applications and network or server equipment and systems, the adoption and distribution of the policies and procedures, and training to its entire workforce.

The proposed training materials must be submitted to HHS for review within 210 days. Once HHS approves the materials, training must be administered within 14 days.

The resolution agreement does not represent an admission of liability by CHSPSC.

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.


Get the latest on healthcare leadership in your inbox.