CHS associate pays $2.3M HIPAA settlement: 4 details

[Destry Winant <destry () riskbasedsecurity com>]

https://www.beckershospitalreview.com/cybersecurity/chs-associate-pays-2-3m-hipaa-settlement-4-details.html

A Community Hospital Systems' entity that provides business associate
services to hospitals and clinics agreed to settle violations related
to a potential HIPAA breach for $2.3 million.

Four details:

1. CHSPSC will pay the Office for Civil Rights $2.3 million and adopt
a corrective action plan to settle allegations it violated HIPAA. The
company provides IT, health information management and other services
to the hospitals and clinics owned by Franklin, Tenn.-based CHS.

2. The FBI noticed a cyberhacking group posed an advanced persistent
threat to CHSPC's information system in April 2014 and gave notice to
the company. However, the hackers were still able to access the
company's system.

3. The hackers exfiltrated protected health information for 6.1
million people in August 2014 and used the compromised administrative
credentials to remotely access the company's information systems
through a virtual private network.

4. An ORC investigation found longstanding, systemic noncompliance
with HIPAA's rules and the company failed to conduct a risk analysis
and implement access controls.
_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange