TRENTON – Attorney General Gurbir S. Grewal announced today that New Jersey has entered into a multi-state settlement agreement with acute care hospitals operator CHS/Community Health Systems, Inc. that resolves an investigation into a 2014 data breach in which intruders copied and transferred data of approximately 6.1 million patients, including more than 45,000 New Jersey residents.
At the time of the data breach, CHS, which is headquartered in Franklin, Tennessee, owned, leased, or operated 206 affiliated hospitals across the country, including two clinics located in New Jersey. Exposed in the data breach were the names, birthdates, social security numbers, phone numbers, and addresses of patients.
The settlement announced today also applies to CHS subsidiary CHSPSC, LLC, and requires CHS to make an overall payment of $5 million to the 28 participating states. New Jersey’s share of the settlement payout is $58,202.
In addition to a monetary payment by CHS, today’s settlement requires CHS to put in place specific data protection measures aimed at creating and maintaining a comprehensive security program that will safeguard Personal Information (PI) and Protected Health Information (PHI).
“All companies – but particularly those who deal on a regular basis with peoples’ sensitive personal information, including their private medical information -- have a duty to use appropriate security measures to protect such data,” said Attorney General Grewal. “When companies fail to effectively safeguard the data they store, we know from history that hackers will seek to exploit that failure.”
“When businesses fail to maintain the kind of security measures that will safeguard sensitive consumer information, data breaches become easier for cyber criminals,” said Acting Division of Consumer Affairs Director Paul R. Rodriguez. ” This settlement should serve as a message to all patient-care-related businesses in New Jersey that there are consequences attached to not protecting the data they typically ask for – and in many cases require – from consumers.”
Specific information-security measures required under the settlement announced today include:
- development of a written incident response plan;
- incorporation of security awareness and privacy training for all personnel with access to PHI;
- limitation of unnecessary or inappropriate access to PHI; and
- implementation of specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
Other states participating in the settlement include Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.
Kashif T. Chand, Section Chief, and Zachary N. Klein, Deputy Attorney General, of the Data Privacy and Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group handled the CHS matter on behalf of the State.