HHS Issues Yet Another Big HIPAA Breach-Related Fine
Tennessee-based CHSPSC LLC, a unit of Community Health Systems Inc. that provides IT and health information services to the system’s hospitals and clinics, has agreed to pay $2.3 million to settle a case tied to a 2014 breach affecting 6.1 million individuals.
CHS’s affiliates own, operate or lease 93 hospitals in 16 states, the company’s website notes.
In a statement Wednesday, the Department of Health and Human Services’ Office for Civil Rights says CHSPSC LLC has also agreed to adopt a corrective action.
OCR notes that in April 2014, the FBI notified CHSPSC that the Chinese advanced persistent threat group known as APT 18 had attacked the company’s systems. “Despite this notice, the hackers continued to access and exfiltrate the protected health information of [millions of] individuals until August 2014,” OCR says. “The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network.”
OCR says its investigation found “longstanding, systemic noncompliance with the HIPAA