Serviceteam IT Security News

A Tennessee firm that provides health data management services has agreed to pay the United States Office for Civil Rights (OCR) $2.3m to settle charges related to a data breach.

Charges were brought against Tennessee-based Community Health Systems (CHSPSC LLC) by 28 states after the personal health information (PHI) of millions of people ended up in the hands of cyber-criminals.

In April 2014, CHSPSC was notified by the Federal Bureau of Investigation that Chinese advanced persistent threat group APT18 had gained access to the company’s information system and was exfiltrating PHI. The hackers continued to access and exfiltrate the PHI until August 2014, despite the notice’s being sent.

CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. Community Health Systems owned, leased, or operated 206 affiliated hospitals at the time of the data breach.

A total of 6,121,158 individuals were impacted by the cyber-attack on CHSPSC. Data accessed by the threat group included names, birthdates, Social Security numbers, phone numbers, and addresses of patients.

The threat group accessed CHSPSC’s information system remotely, using compromised administrative credentials to get into the company’s virtual private network.

An investigation into the incident by OCR found long-standing, systemic noncompliance with the HIPAA Security Rule that included failures to implement information system activity review, security incident procedures, and access controls and a failure to conduct a risk analysis.

“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR director Roger Severino.

Yesterday, Tennessee attorney general Herbert Slatery III, along with the attorneys general of 27 other states, announced a settlement with Community Health Systems and its subsidiary, CHSPSC LLC. As part of the judgement, CHS has agreed to pay $5m to the states.

In addition to the monetary settlement, CHSPSC has agreed to protect patient data by implementing and maintaining a robust security program.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!