Attorney General Morrisey Announces Settlement in Hospital Data Breach

CHARLESTON — West Virginia Attorney General Patrick Morrisey announced a $5 million, multistate settlement with a leading hospital operator related to an August 2014 data breach.

    Terms require Community Health Systems Inc., also known as CHS, to pay $5 million to 27 states who are party to the settlement. It also requires CHS implement and maintain a comprehensive information security program designed to safeguard personal and protected health information.

    “All consumers rely upon businesses, especially hospitals, to secure their sensitive personal, identifiable information,” Attorney General Morrisey said. “Any company that breaks that trust must be held accountable.   This settlement emphasizes the meticulous protocols consumers expect to protect their information from unlawful use or disclosure.”

    CHS owned, leased or operated 206 affiliated hospitals when the breach occurred, including five West Virginia entities – Oak Hill Clinic Corp., Oak Hill Hospital Corp., Bluefield Clinic Company LLC, Greenbrier Valley Anesthesia LLC, Greenbrier Valley Emergency Physicians and Ronceverte Physician Group.

    The Tennessee-based company maintains control over just 92 hospitals, including Greenbrier Valley Medical Center of Ronceverte and Plateau Medical Center of Oak Hill, according to its website.

    West Virginia will receive an allotment of $73,897, and CHS patients in the state will benefit from the stringent security protocols implemented as part of the settlement.

    The CHS data breach impacted approximately 6.1 million patients nationwide, including 75,597 consumers from West Virginia. The incident exposed names, birthdates, Social Security numbers, phone numbers and patient addresses.

    Specific security measures within the settlement require CHS and subsidiary CHSPSC LLC to incorporate security awareness and privacy training, develop a written incident response plan and limit unnecessary or inappropriate access to protected health information. They also must implement specific policies and procedures regarding business associates, including use of agreements and audits of those associates.

 West Virginia joined the settlement with Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont and Washington.