[BreachExchange] CHS associate pays $2.3M HIPAA settlement: 4 details
Destry Winant
destry at riskbasedsecurity.com
Thu Sep 24 10:23:09 EDT 2020
https://www.beckershospitalreview.com/cybersecurity/chs-associate-pays-2-3m-hipaa-settlement-4-details.html
A Community Hospital Systems' entity that provides business associate
services to hospitals and clinics agreed to settle violations related
to a potential HIPAA breach for $2.3 million.
Four details:
1. CHSPSC will pay the Office for Civil Rights $2.3 million and adopt
a corrective action plan to settle allegations it violated HIPAA. The
company provides IT, health information management and other services
to the hospitals and clinics owned by Franklin, Tenn.-based CHS.
2. The FBI noticed a cyberhacking group posed an advanced persistent
threat to CHSPC's information system in April 2014 and gave notice to
the company. However, the hackers were still able to access the
company's system.
3. The hackers exfiltrated protected health information for 6.1
million people in August 2014 and used the compromised administrative
credentials to remotely access the company's information systems
through a virtual private network.
4. An ORC investigation found longstanding, systemic noncompliance
with HIPAA's rules and the company failed to conduct a risk analysis
and implement access controls.
More information about the BreachExchange
mailing list