A Tennessee firm that provides health data management services has agreed to pay the United States Office for Civil Rights (OCR) $2.3m to settle charges related to a data breach.
Charges were brought against Tennessee-based Community Health Systems (CHSPSC LLC) by 28 states after the personal health information (PHI) of millions of people ended up in the hands of cyber-criminals.
In April 2014, CHSPSC was notified by the Federal Bureau of Investigation that Chinese advanced persistent threat group APT18 had gained access to the company’s information system and was exfiltrating PHI. The hackers continued to access and exfiltrate the PHI until August 2014, despite the notice’s being sent.
CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. Community Health Systems owned, leased, or operated 206 affiliated hospitals at the time of