Yes, the Community Health Systems Data Breach Settlement appears to be legitimate. If you have questions concerning the settlement, you should contact class counsel or the claims administrator. You can find the contact information for both on the settlement website: https://chspscsettlement.com/
Full Answer
How much did CHSPSC settle?
September 24, 2020 - The Department of Health and Human Services Office for Civil Rights reached a $2.3 million settlement with CHSPSC, which provides services to hospitals and clinics indirectly owned by Community Health Systems, after a data breach impacted more than 6 million patients in 2014.
What did CHSPSC fail to do?
Further, CHSPSC failed to conduct accurate and thorough assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held in its system.
What is systemic noncompliance with HIPAA?
The OCR audit that followed revealed longstanding, systemic noncompliance with the HIPAA Security Rule, such as failure to conduct a risk analysis and to implement information system activity review, security incident procedures, and access controls.
How much did OCR settle with Athens?
On September 21, Athens Orthopedic Clinic reached a $1.5 million settlement with OCR over its 2016 data breach caused by the notorious hacking group known as “thedarkoverlord” (TDO).
What does CHSPSC need to develop?
CHSPSC will need to develop a complete inventory of all connected devices and equipment, which OCR recently stressed can improve the HIPAA-required risk analysis, as well as review and revise policies and procedures for technical access controls for any and all software applications and network or server equipment and systems and information system activity review.
When did the FBI notify CHSPSC of the breach?
CHSPSC did not detect the breach until they were notified by the FBI eight days later on April 18. However, attacker activity remained on the system until August 18, 2014.
Did the CHSPSC implement procedures?
OCR also found CHSPSC did not implement technical policies and procedures to only allow access to individuals or software programs with granted access, nor did CHSPSC implement procedures to routinely review log records recording activity on its information systems, including audit logs, access reports, and security incident tracking reports.
How much does CHSPSC pay HHS?
Payment. CHSPSC has agreed to pay HHS the amount of $2,300,000 (“Resolution Amount”). CHSPSC agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in Section II.9 pursuant to written instructions to be provided by
Who is the CR of CHSPSC?
The CR shall be an individual who is knowledgeable about the HIPAA Rules and about the policies and practices of CHSPSC with respect to ePHI. The CR shall be responsible for assuring CHSPSC’s compliance with this Agreement and the CAP and for arranging for the provision of such assistance as CHSPSC may require to comply with the Agreement and the CAP, including, but not limited to, arranging for and/or providing policies, procedures, training and internal monitoring services.
How long does CHSPSC maintain records?
CHSPSC shall maintain for inspection and copying, and shall provide to OCR upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.
How long does it take for a CHSPSC to submit training materials to HHS?
Within two-hundred ten (210) days of the Effective Date, CHSPSC shall submit its proposed training materials to HHS for its review and approval, along with the policies and procedures required by Section V.C. of this CAP.
What is transaction number 14-189589?
Transaction Number 14-189589 and any violations of the HIPAA Rules related to the Covered Conduct specified in Section I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.
