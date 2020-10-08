Ohio Attorney General Yost Secures Judgment in Multistate Hospital Data Breach
(COLUMBUS, Ohio) – Ohio Attorney General Dave Yost and his counterparts in 27 other states have secured a judgment against Tennessee-based Community Health Systems Inc. for a data breach that exposed the names, birthdates, Social Security numbers, phone numbers and addresses of 6.1 million patients.
The judgment resolves a multi-year investigation of the breach, which affected 253,641 Ohio patients.
“Protecting patients is the job of a hospital and that includes shielding patients’ personal information from hackers,” Yost said. “Exposing the identities of patients should never happen, and it will take a long time to rebuild that trust.”
At the time of the data breach, CHS/Community Health Systems Inc. and its subsidiary leased or operated 206 affiliated hospitals nationwide.
The judgment, agreed to by CHS, requires the company to pay $5 million total to the states, with CHS also agreeing to implement and maintain a comprehensive information security program designed to reasonably safeguard Personal Information (PI) and Protected Health Information (PHI).
Ohio’s portion of the settlement is $162,940.
As part of the settlement, CHS must:
- Develop a written incident response plan.
- Incorporate security awareness and privacy training for all personnel who have access to PHI.
- Limit unnecessary or inappropriate access to PHI.
- Implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
