CHS Pays $5 Million to Settle after Systems Hacked by Chinese Threat Actors


CHS, Community Health Systems, and its subsidiary, CHSPCS LLC, have settled for 5$ Million USD with 28 State Attorneys.

The Investigation was lead by Tennessee AG Herbert H. Slatery III after CHS was hacked by a Chinese advanced persistent threat group with eventually lead to the breach of over 6.1 Million individuals and their protected health information (PHI) in 2014.

In 2014, CHI owned, leased and operated 206 affiliated hospitals and a filing with the U.S. Securities and Exchange commission noted that the PHI stolen by hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, SSN and emergency contact information.

This breach was also investigated by the Health & Human Services Office of Civil rights, which later came to a conclusion with CHSPCS LLC and settled for $2.3M penalty to resolve any potential HIPAA penalties and violations that would be discovered by the investigation.

On top of the penalties and settlement, CHSPCS agreed to enforce and adopt a stronger and more robust corrective plan of action to address any issues regarding privacy and security inconsistencies that were discovered by the Office of Rights investigators.

CHS was also taken to court over the breach by Victims over the theft of their PHI and data – CHS settled the lawsuit in 2019 for $3.1 million, putting CHS at over $10.4 Million in total settlements for the breach.

A patient’s personal information—especially health information—deserves the highest level of protection,

said AG Slatery.

This settlement will require CHS to provide that moving forward.

Community Health Systems (CHS) and their Affiliates were found to have poor implementation of security measures to prevent such breaches of data and appropriate security measures to ensure the safety, integrity and confidentiality of their patients’ PHI and personal data.

The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,

said Iowa AG Tom Miller.

Over 28 states took action against CHS including:

  • Alaska,
  • Arkansas,
  • Connecticut,
  • Florida,
  • Illinois,
  • Indiana,
  • Iowa,
  • Kentucky,
  • Louisiana,
  • Massachusetts,
  • Michigan,
  • Mississippi,
  • Missouri,
  • Nebraska,
  • Nevada,
  • New Jersey,
  • North Carolina,
  • Ohio,
  • Oregon,
  • Pennsylvania,
  • Rhode Island,
  • South Carolina,
  • Tennessee,
  • Texas,
  • Utah,
  • Vermont,
  • Washington,
  • and West Virginia.

On top of paying the massive settlements, CHS and all affiliates have agreed to implement new security measures which include written Incident Response plans, Security Awareness and Privacy training for all personnel that handle PHI data.

They’ve also started to limit unnecessary and inappropriate access to systems that contain any PHI along with implement Procedures and procedures with all business associates and affiliates, as well as implementing and conducting regular audits for all those associates as well.

CHS is taking cyber security measures to a whole new level by conducting annual Risk Assessments, Risk-based Penetration Testing, Intrusion Detection systems, data loss protection systems and measures, email filtering and anti-phishing solutions as well.

All system activities are Logged and reviewed frequently to ensure no suspicious activity is happening.

About the author

Katie Brownley

Health & IT Journalist covering Cybersecurity News, Data Breaches and Security Industry News. Email is open for DM and News Tips are Welcome

Subscribe to Our Newsletter