CHSPSC, LLC has agreed to pay $2.3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve possible violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
CHSPSC Pays $2.3 Million to Resolve HIPAA Investigation
1 min read Premium comments
Secondary#hipaa#chspsc
CHSPSC is a “business associate” as defined under federal rules and therefore is required to comply with HIPAA security rules. The management company provides services to subsidiaries and affiliates of Community Health Systems, Inc. Its services include assisting with legal, information technology, and compliance obligations.
The settlement results from a 2014 cyber-attack which affected more than six million people. In 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that “it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system.” The group is known as APT18.
APT18 utilized compromised administrative credentials “to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals” for nearly four months following the FBI’s notice. During this time, PHI was exposed including “name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.”
HHS’s investigation found numerous potential violations. Notably that CHSPSC potentially failed to prevent unauthorized access to the electronic PHI maintained in its network. It is also possible that CHSPSC failed to respond to and mitigate a known security threat during the four months of the cyber-attack.
In addition to the financial agreement, CHSPSC will also implement a corrective action plan. The corrective action plan includes two years of monitoring. Under the corrective action plan, CHSPSC will conduct a risk analysis and develop and implement a risk management plan. CHSPSC will also provide requisite training to its workforce members.
In the HHS press release OCR Director Roger Severino said, “The health care industry is a known target for hackers and cyberthieves.”
Severino continued, “The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”
React:
Discussion
This is a fascinating development. In my practice we've seen similar outcomes with the revised protocol. The key differentiator seems to be patient selection criteria. Has anyone else noticed the correlation with BMI thresholds?
Great point. I'd push back slightly on the conclusion, the sample size in the cited study is too small to draw population-level inferences. That said, the directional signal is compelling and worth a larger RCT.
We implemented a similar approach last year. Early results are promising but we're still gathering 12-month follow-up data. Happy to share our protocol if anyone is interested.
Join the conversation
Orthopedic professionals are discussing this. Sign in and upgrade to read every comment and add your voice.