A vendor that works with healthcare providers has agreed to repay $2.3 million after it was hacked and the personal information of more than 6 million individuals was compromised, in a settlement with the Department of Health & Human Services’s Office of Civil Rights.
The vendor — CHSPSC — is owned by Community Health Systems in Franklin, Tenn., and provides information technology and health information management services to hospitals and healthcare providers.
CHSPSC was warned in 2014 by the Federal Bureau of Investigation that it had traced a threat to the company’s information system. The hackers, using compromised administrative credentials, accessed CHSPSC’s servers via a virtual private network for four months, eventually exfiltrating the personal information, including the name, sex, date of birth, phone number, Social Security number, email, ethnicity, and emergency contact information of 6.1 million individuals.
“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino, in a statement.
Along with paying the fine, CHSPSC has also agreed to a corrective action plan, including the development of an internal monitoring plan, conducting a risk analysis and developing a risk management plan, and revising its policies and procedures — including its training program.
Community Health System last year settled a lawsuit with individuals who were victims of the breach. Each individual who was victimized was entitled to up to $250 as a result of lost wages because of the time it took for them to deal with the breach, as well as any out-of-pocket expenses. Individuals who actually had their identities stolen because of the breach were entitled to receive up to $5,000.