OCR levies $2.3M fine over massive breach affecting PHI of 6M people

The U.S. Department of Health and Human Services announced this week that CHSPSC, a Tennessee-based management company providing business associate services to hospitals and physician clinics indirectly owned by Community Health Systems, had agreed to pay $2.3 million to settle potential HIPAA violations.

According to the HHS Office for Civil Rights, the Federal Bureau of Investigations notified CHSPSC in April 2014 that it had flagged an “advanced persistent threat” to CHSPSC’s information system. 

But the hackers continued to access the information through August of that year, according to the enforcement agency, and breached the protected health information of more than 6 million people. 

CHSPSC has also agreed to a corrective action plan including two years of monitoring.


Community Health Systems is one of the largest publicly traded hospital companies in the country, as measured by number of facilities. CHSPSC provides services – including IT, health information management, legal and compliance – to hospitals and clinics indirectly owned by CHS.

According to the action plan published on HHS’ website, in April 2014, a group of bad actors remotely accessed CHSPSC’s information system through its VPN. Eight days later, the FBI notified CHSPSC about the intrusion. 

From April through August, the cyber criminals affected 237 covered entities served by CHSPSC and exfiltrated the PHI of more than 6 million people – including name, sex, date of birth, phone number, Social Security number, email and emergency contact information.

“OCR’s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls,” said the agency.


The $2.3 million is the latest in fines brought by HHS OCR as a result of potential violations of HIPAA.

Most recently, a Massachusetts health network, had to pay $70,000 after failing to provide medical records, a potential violation of the HIPAA Privacy Rule’s right of access provision.

Although the breach at CHSPSC happened in 2014, the COVID-19 crisis has again shone a spotlight on the potential for bad actors to gain access to protected health information, with some security experts saying the pandemic has acted like “blood in the water” for cybercriminals.

Experts also note that any HIPAA-covered entity breach affecting more than 500 individuals will trigger a data request from OCR. 

Although regulators don’t have the resources to investigate every incident, the most recent BakerHostetler Data Security Incident Response Report noted that they are “asking harder questions, and their expectations are evolving.”


“The healthcare industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino in a statement.


Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article