More than six million patient records were exposed

UPDATED US healthcare provider Community Health Systems (CHS) has settled a long running legal fight by agreeing to pay $5m to settle legal claims against it over a 2014 data breach that affected more than six million patients.

Attackers broke into a records system maintained by an IT supplier to Community Health Systems and lifted the patient data of 6.21 million people back in August 2014.

The compromised records included names, Social Security numbers, physical addresses, birth dates, and telephone numbers – all useful information for potential identity thieves or other fraudsters.

Tennessee-based CHS owned, leased, or operated 206 hospitals/doctor’s clinics at the time of the breach. IT service firm CHSPSC managed the health information management and IT systems for CHS.

Insufficient action after FBI warning

The FBI warned CHSPSC that its systems were compromised in April 2014. CHSPSC failed to act in any meaningful way of this warning, setting up the bigger problems that followed.

Last month CHSPSC agreed to pay the US Department of Health and Human Services a $2.3 million fine. It also agreed to implement a corrective action plan in order to settle allegations that it violated the US Health Insurance Portability and Accountability Act (HIPAA).

Attackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network (VPN), an investigation by the Office for Civil Rights at HHS discovered.

Security auditors faulted the IT services firm for “systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls”.

A recently agreed judgment (PDF) requires CHS to make a $5 million payment to the Attorney Generals in the 28 US states that sued the healthcare provider.

CHS further agreed to “implement and maintain a comprehensive information security program” designed to safeguard against a repetition of the historic security failure.

“CHS failed to implement and maintain reasonable security practices,” said Iowa Attorney General Tom Miller, in a statement. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure.”

CHS however told The Daily Swig that it had settled the case without admitting any wrongdoing. It defended its security practices at the time of the attack.

"Community Health Systems is pleased to have resolved this six-year old matter in which it admitted no wrongdoing," it said. "The Company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations."

This story was updated to add a statement from CHS

YOU MAY LIKE Data breach at Mississippi ambulance service exposes sensitive information of patients