HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI.

Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S.

In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China.

An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six healthcare data breaches of all time.

Following the breach, many lawsuits were filed by patients seeking compensation for the theft of their personal information. The lawsuits were consolidated into a single lawsuit, which survived attempts by CHS to have the case dismissed. A settlement has now been reached to resolve the lawsuit.

The settlement specifies two different payments for breach victims. Individuals who can prove they have incurred out-of-pocket expenses as a result of the breach and/or can show evidence of time lost securing their accounts, can claim up to $250 in compensation. Individuals who have suffered identity theft or fraud as a result of the breach can recover up to $5,000 in losses.

Legal fees totaling $900,000 have also been covered by the settlement agreement along with a payment of $3,500 for each representative class member.

In order to qualify for payment, a compensation claim must be submitted by August 1, 2019. Individuals who do not want to be included in the settlement and those who wish to file an objection, have until May 18 to notify CHS.

The settlement must still be assessed for fairness and approved by a judge. A hearing has been scheduled for August 13, 2019.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.