Being in the healthcare industry, it is obvious that patient data security is extremely important. Unfortunately, not all healthcare providers take data security seriously, which can lead to devastating consequences. One such case is the Community Health Systems (CHS) C10P Ransomware attack, which affected millions of patients and resulted in a multistate HIPAA settlement.
No one is protected from HIPAA violation double jeopardy. In other words, if a covered entity or business associate does not comply with HIPAA, they may face fines at both the federal and state levels.
The Office for Civil Rights (OCR) investigates healthcare organizations that have been breached, and when they are found to have violated HIPAA, they can face fines. A state may also file a lawsuit against the entity alleging violation of the state’s healthcare privacy and security laws. In many instances, multiple states have banded together to pursue a multistate lawsuit against a business citing violations of state privacy laws. Litigation of this kind can result in a multimillion-dollar settlement with the plaintiffs.
What is Ransomware?
Before discussing the details of Community Health Systems’ ransomware attack, it’s important to understand what ransomware is.
Ransomware is a type of malware that encrypts a user’s files, with the culprits demanding payment in exchange for the decryption key. Ransomware attacks have become increasingly common in recent years and can have severe consequences, including the loss or theft of sensitive data and financial losses for victims.
Community Health Systems Hit By Another Large Breach
Community Health Systems clearly have not learned their lesson, having suffered two huge breaches in the last several years that compromised the protected health information (PHI) of millions of patients. Both of these breaches have led victims to bring multistate lawsuits against the health system. The latest intrusion revealed patients’ names, birthdates, Social Security numbers, phone numbers, and residences.
In August 2014, officials from CHS informed the Securities and Exchange Commission that malware attacks between April 2014 and June 2014 exposed the PHI of 6.1 million patients. In 2020, CHS reached a $5 million settlement with 28 states, and a $2.3 million settlement with the Department of Health and Human Services Office for Civil Rights.
One would think that after spending years settling a lawsuit for a breach, you would be more careful and take the necessary steps to be 100% compliant… nope.
CHS estimates that up to one million patients may have been impacted in the past year’s data breach. C10P ransomware targeted several organizations, including Hatch Bank, CHS, and other healthcare organizations.
Lessons Learned From the CHS Breach
The CHS breach had a significant impact on both the healthcare providers and their patients. After the 2014 breach, CHS had to spend millions of dollars to restore its systems and recover lost data, yet still failed to protect patient data from the C10P ransomware attack.
Patients who had their data stolen or lost may have to deal with identity theft, financial losses, and other consequences. These breaches provide several lessons for healthcare providers seeking to improve their data security practices.
These lessons include:
- Regularly assess and update security measures to address emerging threats.
- Implement security measures to protect against known vulnerabilities, such as those exploited in the CHS breach.
- Train employees in data security best practices & HIPAA, including how to identify and report suspicious activity.
- Implement policies and procedures for handling sensitive data, including access controls and data backup and recovery.
- Regularly test security measures to ensure their effectiveness.
HIPAA and State Enforcement of Healthcare Breach Lawsuits
The HIPAA Security Rule requires healthcare providers to implement security measures to ensure the confidentiality, integrity, and availability of patient data. When a healthcare provider experiences a data breach, the OCR investigates the organization, and if a HIPAA violation is found to have occurred, a HIPAA fine is imposed.
Patients affected by the breach cannot file a lawsuit against the organization under HIPAA law, they may, however, file a lawsuit under state privacy and security laws. These lawsuits can result in significant financial penalties for the provider, as well as damage to its reputation.
HIPAA Compliance Prevents Healthcare Breaches
Providers can prevent breaches by becoming HIPAA compliant. HIPAA security risk assessments, policies and procedures, and annual employee HIPAA training are crucial to preventing healthcare breaches. You can meet your requirements with ease using Compliancy Group’s software, and ensure you never miss a step.
Most ransomware incidents occur as the result of employee error. HIPAA training is essential to preventing these types of incidents. Training should cover the fundamentals of HIPAA, a summary of your organization’s policies and procedures, information on cybersecurity, and guidelines for using social media. The HIPAA solution from Compliancy Group comes with comprehensive digital training for your entire staff. You can track who has completed required training, send automated annual reminders to employees, and store their legal attestations.
Spend less time on HIPAA, and protect your company from legal and financial risk!