Ashley Moody, State AGs Obtain Judgment in Community Health Systems Data Breach Investigation

Last week, Attorney General Ashley Moody, along with 27 other state attorneys general, obtained a judgment against Tennessee-based Community Health Systems, Inc., and its subsidiary, CHSPSC LLC. This judgment resolves an investigation of a data breach that impacted approximately 6.1 million patients, including more than 430,000 from the state of Florida.

At the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals, including 37 located in Florida. Information exposed in the breach included the addresses, birthdates, names, phone numbers and Social Security numbers of patients. The judgment, agreed to by CHS, requires a $5 million payment to the states and provides that CHS agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information that will include specific information security requirements.

“Health care patients are routinely asked to reveal personal information in the course of treatment. The added stress surrounding a data breach exposing personal information can be overwhelming. I’m glad we were able to provide relief to the more than 430,000 Floridians impacted by the negligent actions of this health care company,” Moody said on Thursday.

Specific information security measures contained in the agreed judgment include requirements to:

• Develop a written incident response plan;
• Incorporate security awareness and privacy training for all personnel who have access to protected health information;
• Limit unnecessary or inappropriate access to protected health information; and
• Implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.

In addition to Florida, represented by Consumer Protection Division assistant attorney general Patrice Malloy, the multistate group includes Alaska, Arkansas, Connecticut, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and West Virginia.

The proposed judgment is pending judicial approval.