Attorney General Curtis Hill has joined 27 other state attorneys general to obtain a $5 million judgment against Tennessee-based CHS/Community Health Systems Inc. and its subsidiary, CHSPSC LLC, resolving an investigation of a data breach that impacted approximately 6.1 million patients, including 527,811 from Indiana. Under the agreement, Indiana will receive $300,831.18.
At the time of the data breach in 2014, CHS owned, leased or operated 206 affiliated hospitals. Exposed in the breach were the names, birthdates, Social Security numbers, phone numbers and addresses of patients.
Besides the $5 million payment to the states, the judgment agreed to by CHS provides that CHS will implement and maintain a comprehensive information security program reasonably designed to safeguard Personal Information (PI) and Protected Health Information (PHI).
“We must hold companies accountable for protecting Hoosier consumers’ personal information,†Attorney General Hill said. “Companies must follow the proper procedures and protocols to prevent data breaches and safeguard individual privacy.â€
Security measures in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to PHI; to limit unnecessary or inappropriate access to PHI; and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.