Frankfort, Ky. — Attorney General Daniel Cameron today announced a nearly $5 million multi-state settlement with Tennessee-based CHS/Community Health Systems, Inc. (CHS/CHSI), and its subsidiary, CHSPSC, LLC. for a data security breach. The settlement resolves a data breach investigation, which affected the personal information of approximately 6.1 million patients nationwide, including 93,395 Kentuckians.
“This settlement returns more than $80,000 to the Commonwealth and establishes security standards that comply with Kentucky’s consumer protection laws,” said Attorney General Cameron. “This is one example of how our Office of Consumer Protection works on behalf of Kentuckians to stop negligent business practices that jeopardize the security of their personal information.”
The Attorney General’s Office of Consumer Protection, together with 27 other attorneys general, reached a settlement with CHS/CHSI and CHSPSC, LLC., requiring the businesses to pay nearly $5 million to the 28 states. Kentucky will receive $82,345.42.
At the time of the data breach, CHS/CHSI owned, leased, or operated 206 hospitals, including four hospitals in Kentucky. The company’s breach compromised the names, birthdates, social security numbers, phone numbers, and addresses of patients.
In addition to the $5 million payment to the states, CHS agreed to implement and maintain a comprehensive information security program designed to safeguard Personal Information (PI) and Protected Health Information (PHI).
Under the settlement, CHS/CHSI is required to adopt specific information security requirements, including:
Developing a written incident response plan.
Incorporating security awareness and privacy training for all personnel who have access to PHI.
Limiting unnecessary or inappropriate access to PHI.
Implementing specific policies and procedures regarding business associates, including the use of business associate agreements and audits of business associates.
Attorney-General Cameron was joined by attorneys general from Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia in the settlement.