Iowa Attorney General Tom Miller joined 27 other attorneys general to obtain a $5 million judgment against Tennessee-based CHS/Community Health Systems, Inc., and its subsidiary, CHSPSC LLC. This judgment resolves an investigation of a data breach that affected approximately 6.1 million patients, including 7,002 Iowans.
At the time of the 2014 data breach, CHS owned, leased, or operated 206 affiliated hospitals. Exposed in the breach were the names, birthdates, Social Security numbers, phone numbers, and addresses of patients, according to a petition filed in Polk County District Court.
The judgment, agreed to by CHS, requires a $5 million payment to the states, including $38,895 to Iowa. CHS also agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information, which will include specific information security requirements.
“CHS failed to implement and maintain reasonable security practices,” Miller said. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure.”
Specific information security measures contained in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to protected health information; to limit unnecessary or inappropriate access to protected health information and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
In addition to Iowa, other states participating in this settlement include Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.