A administration firm that gives providers to associates of Group Well being Programs has agreed to pay HHS’ Workplace for Civil Rights $2.three million, the company mentioned Wednesday.
The high quality levied on CHSPSC, a enterprise affiliate that gives accounting, compliance, info expertise and different providers to hospitals and clinics not directly owned by the Franklin, Tenn.-based for-profit system, settles alleged HIPAA violations associated to a 2014 information breach affecting greater than 6 million folks.
The $2.three million high quality marks the most important HIPAA settlement OCR has introduced this 12 months.
The Federal Bureau of Investigation in April 2014 notified CHSPSC it had traced a cyberattack from a hacking group, referred to as APT18, to the corporate’s info system. The hackers have been utilizing compromised administrative credentials to remotely entry the knowledge system by way of a digital personal community, in response to OCR.
CHS reported in a 2014 regulatory submitting that it suspected the hacking group was from China and was looking for mental property on medical gadgets and different gear.
Regardless of the FBI’s discover, hackers have been capable of proceed accessing the system by way of August of that 12 months, finally exfiltrating protected well being info of greater than 6 million folks from 237 lined entities served by CHSPSC, in response to OCR. The breach compromised title, intercourse, date of delivery, cellphone quantity, Social Safety quantity, electronic mail, ethnicity and emergency contact info.
“The failure to implement the safety protections required by the HIPAA Guidelines, particularly after being notified by the FBI of a possible breach, is inexcusable,” mentioned OCR Director Roger Severino in an announcement.
Throughout an investigation, OCR officers mentioned they discovered “longstanding, systemic noncompliance with the HIPAA Safety Rule,” corresponding to alleged failures to conduct danger analyses, implement acceptable entry controls and frequently evaluation information of exercise on info programs.
Along with the financial settlement, CHSPSC may even implement a corrective motion plan, which incorporates HHS monitoring the corporate’s compliance with HIPAA for 2 years.
A CHS spokesperson in an emailed assertion mentioned it has “lengthy disputed” OCR’s allegations, arguing CHSPSC had acceptable danger controls in place on the time of the cyberattack and “responded promptly when it realized of the assault and labored intently with the FBI and according to the FBI’s suggestions.”
“We settled these allegations with none admission of fault after a six-year investigation wherein we offered OCR ample proof that its allegations have been inaccurate,” the spokesperson mentioned. “Regardless, we’re happy with the end result and glad to lastly put this to an finish.”