News Briefs: September 28, 2020

In a settlement of potential HIPAA violations with a business associate, the HHS Office for Civil Rights (OCR) said Sept. 23 that CHSPSC LLC has agreed to pay $2.3 million related to a breach affecting more than six million people and implement corrective actions.[1] CHSPSC provides business associate services, such as health information management, to hospitals and clinics indirectly owned by Community Health Systems Inc., in Franklin, Tennessee. In April 2014, the FBI informed CHSPSC that it had traced a cyberhacker group’s advanced persistent threat to CHSPSC’s information system. “Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014,” OCR said. “The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network.” An investigation by OCR allegedly found “systemic noncompliance with the HIPAA Security rule.” CHSPSC did not admit liability in the settlement.

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field