(COLUMBUS, Ohio) – Ohio Attorney General Dave Yost and his counterparts in 27 other states have secured a judgment against Tennessee-based Community Health Systems Inc. for a data breach that exposed the names, birthdates, Social Security numbers, phone numbers, and addresses of 6.1 million patients.
The judgment resolves a multi-year investigation of the breach, which affected 253,641 Ohio patients.
“Protecting patients is the job of a hospital and that includes shielding patients’ personal information from hackers,” Yost said. “Exposing the identities of patients should never happen, and it will take a long time to rebuild that trust.”
At the time of the data breach, CHS/Community Health Systems Inc. and its subsidiary leased or operated 206 affiliated hospitals nationwide.
The judgment agreed to by CHS, requires the company to pay $5 million total to the states, with CHS also agreeing to implement and maintain a comprehensive information security program designed to reasonably safeguard Personal Information (PI) and Protected Health Information (PHI).
Ohio’s portion of the settlement is $162,940.
As part of the settlement, CHS must:
- Develop a written incident response plan.
- Incorporate security awareness and privacy training for all personnel who have access to PHI.
- Limit unnecessary or inappropriate access to PHI.
- Implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
Other states participating in this settlement are Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.
For a copy of the complaint filed by Yost please send an email to email@example.com