No one is protected from HIPAA violation double jeopardy. In other words, if a covered entity or business associate does not comply with HIPAA, they may face fines at both the federal and state levels.
The Office for Civil Rights (OCR) investigates healthcare organizations that have been breached, and when they are found to have violated HIPAA, they can face fines. A state may also file a lawsuit against the entity alleging violation of the state’s healthcare privacy and security laws. In many instances, multiple states have banded together to pursue a multistate lawsuit against a business citing violations of state privacy laws. Litigation of this kind can result in a multimillion-dollar settlement with the plaintiffs.
What is Ransomware?
Before discussing the details of Community Health Systems’ ransomware attack, it’s important to understand what ransomware is.
Ransomware is a type of malware that encrypts a user’s files, with the culprits demanding payment in exchange for the decryption key. Ransomware attacks have become increasingly common in recent years and can have severe consequences, including the loss or theft of sensitive data and financial losses for victims.
Community Health Systems Hit By Another Large Breach
Community Health Systems clearly have not learned their lesson, having suffered two huge breaches in the last several years that compromised the protected health information (PHI) of millions of patients. Both of these breaches have led victims to bring multistate lawsuits against the health system. The latest intrusion revealed patients’ names, birthdates, Social Security numbers, phone numbers, and residences.
In August 2014, officials from CHS informed the Securities and Exchange Commission that malware attacks between April 2014 and June 2014 exposed the PHI of 6.1 million patients. In 2020, CHS reached a $5 million settlement with 28 states, and a $2.3 million settlement with the Department of Health and Human Services Office for Civil Rights.
One would think that after spending years settling a lawsuit for a breach, you would be more careful and take the necessary steps to be 100% compliant… nope.
CHS estimates that up to one million patients may have been impacted in the past year’s data breach. C10P ransomware targeted several organizations, including Hatch Bank, CHS, and other healthcare organizations.