In April of 2014, CHSPSC’s information system was hacked. The healthcare hack ended up affecting 6.1 million individuals, exposing their protected health information. As a result, CHSPSC has agreed to settle numerous HIPAA Security Rule violations with OCR. More details are discussed below.
CHSPSC, LLC (“CHSPSC”) provides business associate services, including IT and health information management, to hospitals and physician clinics affiliated with Community Health Systems, Inc. (“CHS”). CHS is one of the nation’s leading operators of general acute care hospitals. CHS is a Fortune 500 mainstay, with over $10 billion in annual revenue.
In April of 2014, CHSPSC’s information system was hacked. The hackers continued to remotely access the CHSPSC’s virtual private network, through August of 2014. CHSPSC only became aware of the attack when the FBI notified CHSPSC eight days after the attack began. By August of 2014, the damage from this healthcare hack had been done. The intrusion ended up affecting 6.1 million individuals, exposing their protected health information. In light of this damage, a class action lawsuit was filed against CHSPSC; CHSPSC settled the lawsuit for $3.1 million dollars. Now, OCR has taken its turn. CHSPSC has agreed to settle numerous HIPAA Security Rule violations with OCR. Under the settlement, CHSPSC must pay OCR $2.3 million dollars and implement a corrective action plan (CAP).
Healthcare Hack: What Went Wrong?
A number of factors contributed to the severity of this healthcare hack. At the time of the healthcare hack, CHSPSC provided legal, compliance, accounting, operations, human resources, IT, and health information management services to dozens of CHS hospitals and clinics. CHSPSC’s information system therefore stores a significant amount of protected health information (PHI).
On April 18, 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that the FBI had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Eight days earlier, an Advanced Persistent Threat group known as APT18, compromised CHSPSC administrative credentials and remotely accessed CHSPSC’s information system through CHSPSC’s virtual private network (VPN).
Despite the FBI notification, the hackers continued to access the administrative credentials until mid-August of 2014. Subsequent investigation revealed that the intrusion affected 237 covered entities served by CHSPSC, and that APT18 exfiltrated (removed) the PHI of 6,121,158 individuals, including names, genders, dates of birth, phone numbers, Social Security numbers, email addresses, ethnicity, and emergency contact information.
Healthcare Hack: What Did the OCR Investigation Reveal?
The OCR investigation found longstanding, systemic noncompliance with the HIPAA Security Rule, which included:
◈ Failure to conduct a security risk analysis;
◈ Failure to implement information system activity review;
◈ Failure to implement security incident procedures; and
◈ Failure to implement access controls and audit logs.
OCR found that CHSPSC failed to respond to a known security incident, and failed to mitigate the harmful effects of that incident. In addition to the monetary settlement, CHSPSC has agreed to a corrective action plan (CAP) that includes two years of OCR monitoring of its Security Rule compliance.
In announcing the settlement, OCR Director Roger Severino noted, “The healthcare industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”