A HIPAA business associate providing IT and health information management to physicians and doctors in Tennessee impermissibly disclosed protected health information of more than 6 million individuals.
In April 2014, the Federal Bureau of Investigation notified CHSPSC LLC that it traced a cyberhacker’s threat to CHSPSC’s IT systems. Hackers used stolen administrative credentials to remotely access systems through VPN. Even after the FBI’s notice, the hackers continued to access information in the CHSPSC system through August 2014. Information relating to 6,121,158 individuals were impacted.
HHS investigated and found systemic noncompliance with the HIPAA Security rule, including failure to conduct a risk analysis, failure to have security procedures and failure to implement access controls.
CHSPSC must pay $2.3 million and implement a corrective action plan.