October 01, 2020

HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting PHI of Over 6 Million Individuals

The Office for Civil Rights (OCR) has imposed a $2.3 million dollar penalty on a business associate for failing to monitor, address and take appropriate actions regarding persistent threats to its information system after being notified of such threats by the FBI back in 2014. The resulting breach impacted over six million individuals. The business associate, CHSPSC, LLC, which is indirectly owned by Community Health Systems in Franklin, TN, also agreed to a corrective action plan and two years of monitoring. This move by the OCR is viewed as a big win for entities seeking to place added pressure on business associates to comply with HIPAA and HITECH.