West Virginia settles hospital data breach lawsuit
CHARLESTON — The state has settled with a hospital operator in a lawsuit over an August 2014 data breach, the West Virginia attorney general said.
The terms require Community Health Systems Inc., also known as CHS, to pay $5 million to 27 states who are party to the settlement, Attorney General Patrick Morrisey said. It also requires CHS implement and maintain a comprehensive information security program designed to safeguard personal and protected health information.
“All consumers rely upon businesses, especially hospitals, to secure their sensitive personal, identifiable information,” Morrisey said. “Any company that breaks that trust must be held accountable. This settlement emphasizes the meticulous protocols consumers expect to protect their information from unlawful use or disclosure.”
CHS owned, leased or operated 206 affiliated hospitals when the breach occurred, including Oak Hill Clinic Corp., Oak Hill Hospital Corp., Bluefield Clinic Company LLC, Greenbrier Valley Anesthesia LLC, Greenbrier Valley Emergency Physicians and Ronceverte Physician Group in West Virginia.
The Tennessee-based company maintains control over just 92 hospitals, including Greenbrier Valley Medical Center of Ronceverte and Plateau Medical Center of Oak Hill, according to its website.
West Virginia will receive an allotment of $73,897 and CHS patients in the state will benefit from the stringent security protocols implemented as part of the settlement.
The CHS data breach impacted approximately 6.1 million patients nationwide, including 75,597 consumers from West Virginia. The incident exposed names, birthdates, Social Security numbers, phone numbers and patient addresses.
Specific security measures within the settlement require CHS and subsidiary CHSPSC LLC to incorporate security awareness and privacy training, develop a written incident response plan and limit unnecessary or inappropriate access to protected health information. They also must implement specific policies and procedures regarding business associates, including use of agreements and audits of those associates.
West Virginia joined the settlement with Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont and Washington.