Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.
The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of some six million individuals. The information obtained included names, gender, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.
OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC, including failure to conduct a risk analysis as well as failures to implement information system activity reviews, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.