Judgment Obtained Resolving Data Breach Investigation
Release Date
Oct 8, 2020
Contact
Kylie Mason
Phone
850-245-0150
TALLAHASSEE, Fla.—Attorney General Ashley Moody, along with 27 other state attorneys general, obtained a judgment against Tennessee-based Community Health Systems, Inc., and its subsidiary, CHSPSC LLC. This judgment resolves an investigation of a data breach that impacted approximately 6.1 million patients, including more than 430,000 from the state of Florida.
At the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals, including 37 located in Florida. Information exposed in the breach included the addresses, birthdates, names, phone numbers and Social Security numbers of patients. The judgment, agreed to by CHS, requires a $5 million payment to the states and provides that CHS agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information that will include specific information security requirements.
Attorney General Ashley Moody said, “Health care patients are routinely asked to reveal personal information in the course of treatment. The added stress surrounding a data breach exposing personal information can be overwhelming. I’m glad we were able to provide relief to the more than 430,000 Floridians impacted by the negligent actions of this health care company.”
Specific information security measures contained in the agreed judgment include requirements to:
The proposed judgment is pending judicial approval.
At the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals, including 37 located in Florida. Information exposed in the breach included the addresses, birthdates, names, phone numbers and Social Security numbers of patients. The judgment, agreed to by CHS, requires a $5 million payment to the states and provides that CHS agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information that will include specific information security requirements.
Attorney General Ashley Moody said, “Health care patients are routinely asked to reveal personal information in the course of treatment. The added stress surrounding a data breach exposing personal information can be overwhelming. I’m glad we were able to provide relief to the more than 430,000 Floridians impacted by the negligent actions of this health care company.”
Specific information security measures contained in the agreed judgment include requirements to:
- Develop a written incident response plan;
- Incorporate security awareness and privacy training for all personnel who have access to protected health information;
- Limit unnecessary or inappropriate access to protected health information; and
- Implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
The proposed judgment is pending judicial approval.