Healthcare providers and entrepreneurs continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. in Tennessee, agreed to pay $ 2,300,000 to the Office for Civil Rights (OCR) in settlement of violations. Potential Privacy and Security Rules. OCR’s investigation and settlement stem from a data breach affecting more than six million people.
The services provided by CHSPSC to health care institutions included legal, compliance, accounting, operations, human resources, information technology and health information management services. In April 2014, the FBI informed CHSPSC that a cyber hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, hackers continued for several months to access and exfiltrate the protected health information (PHI) of more than 6 million people. The information obtained included names, gender, dates of birth, phone numbers, social security numbers, emails, ethnicity and emergency contact details.
OCR’s investigation revealed a long-standing systemic non-compliance with HIPAA at CHSPSC. including failure to perform a risk analysis as well as failure to review information system activity, security incident procedures and access controls. The OCR was particularly critical of the organization’s failure to implement security protections, even after being informed by the FBI of the potential breach. In addition to the significant monetary fine, CHSPSC must comply with a corrective action plan (CAP) which includes the following elements: development of an internal monitoring plan; the completion of an enterprise-wide security risk and vulnerability analysis that integrates all electronic systems, data systems, programs and applications involving ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must receive approval from the Department of Health and Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.
Copyright © 2021 Robinson & Cole LLP. All rights reserved.Revue nationale de droit, volume X, number 274