Attorney General Ashley Moody News Release
October 8, 2020
Contact: Kylie Mason
Phone: (850) 245-0150
Attorney General Moody Obtains Judgment Resolving Community Health Systems Data Breach Investigation
TALLAHASSEE, Fla.—Attorney General Ashley Moody, along with 27 other state attorneys general, obtained a judgment against Tennessee-based Community Health Systems, Inc., and its subsidiary, CHSPSC LLC. This judgment resolves an investigation of a data breach that impacted approximately 6.1 million patients, including more than 430,000 from the state of Florida.
At the time of the data breach, CHS owned, leased or operated 206 affiliated hospitals, including 37 located in Florida. Information exposed in the breach included the addresses, birthdates, names, phone numbers and Social Security numbers of patients. The judgment, agreed to by CHS, requires a $5 million payment to the states and provides that CHS agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information that will include specific information security requirements.
Attorney General Ashley Moody said, “Health care patients are routinely asked to reveal personal information in the course of treatment. The added stress surrounding a data breach exposing personal information can be overwhelming. I’m glad we were able to provide relief to the more than 430,000 Floridians impacted by the negligent actions of this health care company.”
Specific information security measures contained in the agreed judgment include requirements to:
In addition to Florida, represented by Consumer Protection Division assistant attorney general Patrice Malloy, the multistate group includes Alaska, Arkansas, Connecticut, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and West Virginia.
- Develop a written incident response plan;
- Incorporate security awareness and privacy training for all personnel who have access to protected health information;
- Limit unnecessary or inappropriate access to protected health information; and
- Implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
The proposed judgment is pending judicial approval.