Community Health System agreed to the settlement following a data breach in 2014 that compromised millions of patient’s information.
Community Health System (CHS), one of the largest health systems in the U.S., will pay $4.5 million to settle a class action HIPAA breach lawsuit from 2014.
Forensic investigators believed that an “advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company’s system.”
The breach on CHS, which operates 206 hospitals in 29 states, exposed the names, dates of birth, addresses, telephone numbers and Social Security Numbers of almost 4.5 million patients, reports the National Law Review.
Patients who were treated at CHS-operated hospitals claimed that CHS failed to implement basic security procedures to make sure their personal information stayed safe, according to Data Breach Today. Many filed lawsuits against the company and demanded compensation.
The suit also claimed that CHS did not notify patients properly after the breach, causing “plaintiffs to remain ignorant of the breach, and therefore, plaintiffs were unable to take action to protect themselves from harm.”
Individuals who can prove they had expenses due to the breach or can provide evidence that they lost time securing their accounts can claim up to $250. Individuals who experienced identity theft or fraud can receive up to $5,000.
Andi Bosshart, the Senior Vice President of Corporate Compliance and Privacy at CHP, released a statement apologizing to all patients whose data was accessed during the cyber-attack.
“It is our priority to ensure those who were affected by this attack are notified about the breach and have their questions answered,” the statement said.
A letter was also sent to all affected patients with information about free credit monitoring, identity theft consolations and restoration services.
Since the attack, CHS has taken recommendations from forensic investigators to improve security in the future. Those improvements include implementing additional audit and surveillance technology to detect intrusions, adopting advanced encryption technology and requiring users to change their access passwords.
According to CHP, most of its patients were not affected by the breach, and no credit card information or medical records were taken.