Press release from the office of the Attorney General of Connecticut:
Oct. 11, 2020
Attorney General William Tong today joined 27 other state attorneys general announcing a settlement with Tennessee-based CHS/Community Health Systems, Inc., and its subsidiary, CHSPSC LLC. This settlement resolves an investigation of a data breach which impacted approximately 6.1 million patients.
At the time of the data breach, CHS owned, leased, or operated 206 affiliated hospitals. Although none of the hospitals were located in Connecticut, 4,746 Connecticut residents were impacted by the breach. Exposed in the breach were the names, birthdates, social security numbers, phone numbers, and addresses of patients. The settlement, agreed to by CHS, requires a $5 million payment to the states and provides that CHS agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard Personal Information (PI) and Protected Health Information (PHI), which will include specific information security requirements.
“Community Health Systems had an obligation to safeguard the personal information of their patients and they failed. This settlement includes a significant financial penalty and puts in place strong new protections to ensure patients’ personal information is secure going forward,” said Attorney General Tong. “Patients have a right to know their personal information will be safe and protected. Working with our partner states, we are prepared to take strong action against entities that violate that trust.”
Specific information security measures contained in the settlement include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to PHI; to limit unnecessary or inappropriate access to PHI and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
Other states participating in this settlement include Alaska, Arkansas, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.
Assistant attorneys general Michele Lucan, John Neumon, Áine DeMeo, and Jeremy Pearlman, Head of the Privacy and Data Security Department, assisted the Attorney General in this matter.
This press release was produced by the office of the Attorney General of Connecticut. The views expressed here are the author’s own.