Community Health Systems Inc. (“CHS”), a Tennessee-based hospital provider, has reported it was the target of data hackers who were able to obtain identification information belonging to approximately 4.5 million CHS patients. According to some sources, this is the second-largest HIPAA breach ever. The company has been cooperating with Federal law enforcement authorities pursuing the individuals responsible for hacking into CHS’s system. In response to this breach, CHS is working to notify those individuals whose information was stolen and assisting them with identity theft protection as well as working with a security firm to thoroughly investigate the breach.
Healthcare providers that maintain or transmit electronic protected health (“ePHI”) information must not only be careful about how they use and disclose ePHI, they must also be wary of criminal attacks coming from outside their organization. Even simple identification information such as names, phone numbers, and social security numbers are protected by HIPAA. As part of ongoing HIPAA compliance, providers should assess and document the risk of breach of ePHI and the safeguards in place to prevent a breach. The more technical safeguards a provider has implemented for its ePHI (such as encryption, firewalls, and unauthorized or unusual access alerts), the less likely hackers will be able to infiltrate records and, in the event they infiltrate anyway, the easier for a provider to make a good case that it took all reasonable steps to safeguard its patients’ PHI, or at least to mitigate harm caused by a breach. Providers must consider all aspects of HIPAA, including both the Privacy Rule and the Security Rule, and make sure their HIPAA compliance programs are operational and complete.