A management company that provides services to affiliates of Community Health Systems has agreed to pay HHS' Office for Civil Rights $2.3 million, the agency said Wednesday.
The fine levied on CHSPSC, a business associate that provides accounting, compliance, information technology and other services to hospitals and clinics indirectly owned by the Franklin, Tenn.-based for-profit system, settles alleged HIPAA violations related to a 2014 data breach affecting more than 6 million people.
The $2.3 million fine marks the largest HIPAA settlement OCR has announced this year.
The Federal Bureau of Investigation in April 2014 notified CHSPSC it had traced a cyberattack from a hacking group, known as APT18, to the company's information system. The hackers were using compromised administrative credentials to remotely access the information system through a virtual private network, according to OCR.
CHS reported in a 2014 regulatory filing that it suspected the hacking group was from China and was seeking intellectual property on medical devices and other equipment.
Despite the FBI's notice, hackers were able to continue accessing the system through August of that year, ultimately exfiltrating protected health information of more than 6 million people from 237 covered entities served by CHSPSC, according to OCR. The breach compromised name, sex, date of birth, phone number, Social Security number, email, ethnicity and emergency contact information.
"The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable," said OCR Director Roger Severino in a statement.
During an investigation, OCR officials said they found "longstanding, systemic noncompliance with the HIPAA Security Rule," such as alleged failures to conduct risk analyses, implement appropriate access controls and regularly review records of activity on information systems.
In addition to the monetary settlement, CHSPSC will also implement a corrective action plan, which includes HHS monitoring the company's compliance with HIPAA for two years.
A CHS spokesperson in an emailed statement said it has "long disputed" OCR's allegations, arguing CHSPSC had appropriate risk controls in place at the time of the cyberattack and "responded promptly when it learned of the attack and worked closely with the FBI and consistent with the FBI's recommendations."
"We settled these allegations without any admission of fault after a six-year investigation in which we provided OCR ample evidence that its allegations were inaccurate," the spokesperson said. "Regardless, we are pleased with the outcome and glad to finally put this to an end."