HIPAA Blog

[ Monday, September 28, 2020 ]

CHSPSC is Community Health System's management service organization, which provides business management, IT, and HIM services to hospitals and physician practices. That makes them a Business Associate. They got hacked by an APT from a hacker group in 2014, and the hackers got access to and absconded with PHI on over 6 million patients. The FBI reported it to CHSPSC in April, but they didn't get the hack fully shut down until August. Guess what? No risk analysis, no info systems activity review, insufficient access controls (the hackers got admin access, so this one isn't necessarily fair, but the lack of activity auditing woulda cured this), and insufficient security incident procedures. Fine: $2,300,000.

UPDATE: As is usually the case these days, reportable data breaches under HIPAA are also state-law data breaches, subject to fines from state attorneys general. Such is the fate of Community Health System and its management company, CHSPSC. Fine to the state AGs: $5 million.

Jeff [11:16 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template