AG Hill Joins in Judgment Resolving Community Health Systems Data Breach Investigation
Friday, October 9, 2020

Attorney General Curtis Hill has joined 27 other state attorneys general to obtain a $5 million judgment against Tennessee-based CHS/Community Health Systems Inc. and its subsidiary, CHSPSC LLC, resolving an investigation of a data breach that impacted approximately 6.1 million patients, including 527,811 from Indiana. Under the agreement, Indiana will receive $300,831.18.

At the time of the data breach in 2014, CHS owned, leased or operated 206 affiliated hospitals. Exposed in the breach were the names, birthdates, Social Security numbers, phone numbers and addresses of patients.

Besides the $5 million payment to the states, the judgment agreed to by CHS provides that CHS will implement and maintain a comprehensive information security program reasonably designed to safeguard Personal Information (PI) and Protected Health Information (PHI).

Security measures in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to PHI; to limit unnecessary or inappropriate access to PHI; and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.

Community Health Systems has no affiliation with Indianapolis-based Community Health Network.


>> News Archive