Community Health Systems and a management company that provides services to the health system's affiliates, CHSPSC, has agreed to pay a cumulative $5 million to 28 state attorneys general to settle investigations into a 2014 data breach.
CHSPSC, a business associate that provides accounting, compliance, information technology and other services to hospitals and clinics indirectly owned by the Franklin, Tenn.-based for-profit system, recently agreed to pay HHS' Office for Civil Rights $2.3 million to settle alleged HIPAA violations stemming from the same data breach.
The Federal Bureau of Investigation in April 2014 notified CHSPSC it had traced a cyberattack from a hacking group, known as APT18, to the company's information system. The hackers were using compromised administrative credentials to remotely access the information system through a virtual private network, OCR said last month.
CHS reported in a 2014 regulatory filing that it suspected the hacking group was from China and was seeking intellectual property on medical devices and other equipment.
Hackers, however, reportedly were able to continue accessing the system through August of that year, ultimately exfiltrating protected health information of more than 6 million people from 237 covered entities served by CHSPSC in multiple states.
The breach compromised name, sex, date of birth, phone number, Social Security number, email, ethnicity and emergency contact information.
In addition to the $5 million judgment, CHS also agreed to implement various information security requirements—including privacy training for personnel with access to protected health information and audits of business associates—as part of the settlement with the 28 states.
The 28 states involved in the settlement are Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and West Virginia.
A CHS spokesperson in an email to Modern Healthcare stressed that the health system admitted no wrongdoing in the settlement.
"Community Health Systems is pleased to have resolved this six-year old matter," the spokesperson wrote. "The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack."