Business Associate Pays $2.3 Million Fine for Breach of ePHI of 6M Individuals and Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights recently reported the 10th HIPAA violation fine of 2020. The most current financial penalty is the largest-sized to be charged in 2020. It is $2.3 million and solves a case relating to 5 prospective HIPAA Rules violations, such as a breach of the electronic protected health information (ePHI) of 6,121,158 people.

CHSPSC LLC in Tennessee is a management business that delivers services to a lot of subsidiary hospital operator organizations and other affiliates of Community Health Systems. Services offered may be legal, accounting, operations, compliance, IT, human resources, and health information management services. Providing those solutions necessitates ePHI access, and so CHSPSC is considered as a business associate and must adhere to the HIPAA Security Rule.

On April 10, 2014, CHSPSC encountered a cyberattack executed by an advanced persistent threat group identified as APT18. The hackers used compromised admin credentials and were able to remotely accessed CHSPSC’s data systems by means of its virtual private network (VPN) solution. CHSPSC didn’t notice the breach until the Federal Bureau of Investigation (FBI) notified it on April 18, 2014 about the breach of its systems.

In the period the attackers accessed the CHSPSC systems, the ePHI of 6,121,158 persons was exfiltrated. The information had been made available to CHSPSC by 237 covered entities that employed CHSPSC’s services. The stolen information included the following data elements: name, date of birth, sex, phone number, email, social security number, race, and emergency contact details.

OCR started an investigation into the breach and found systemic noncompliance with the HIPAA Security Regulation. Though it’s impossible to stop cyberattacks by sophisticated hackers at all times, when a breach is detected, action needs to be taken fast to control the harm prompted. Even after being informed by the FBI in April 2014 about the compromise of its systems, the hackers continued to be active in its data systems for 4 months, only being removed in August 2014. In that time, CHSPSC didn’t hinder unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued stealing ePHI.

Not being able to act in response to a recognized security event between April 18, 2014 and June 18, 2014 and abate detrimental effects of the security breach, keep track of the breach and its results, violated 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators determined that CHSPSC did not execute a suitable and complete security risk analysis to discover the risks to the availability, integrity, and confidentiality of ePHI, which violated 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures allowing access to information database comprising ePH managed by CHSPSC solely by authorized people and software applications had not been enforced, in violation of 45 C.F.R. § 164.312(a).

Procedures were not enforced to make certain that information system activity records including logs and system security incident tracking reports were consistently evaluated, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(D).

Hackers and cyber thieves usually target the health care field. Not implementing the security protections mandated by the HIPAA regulations, especially after being alerted by the FBI of a possible breach, is unjustifiable. A substantial financial penalty was consequently correct.

CHSPSC did not choose to dispute the case and accepted pay the financial charges and settled the case with OCR. The settlement furthermore calls for CHSPSC to follow an effective and considerable corrective action plan to handle all facets of non-compliance, and CHSPSC under close monitoring by OCR for 2 years.