New Jersey is set to receive $58,202 after entering into a multi-state settlement agreement with acute care hospitals operator CHS/Community Health Systems Inc. related to a 2014 data breach that resulted in the copying and transfer of data belonging to 6.1 million patients, including more than 45,000 New Jerseyans, Attorney General Gurbir Grewal announced Thursday.
At the time of the data breach, Franklin, Tenn.-based CHS owned, leased or operated 206 affiliated hospitals across the country, including two clinics in New Jersey.
The data breach compromised patients’ names, birthdates, social security numbers, phone numbers and addresses.
The payout of the settlement to 28 states totaled $5 million.
In addition to monetary payment, the settlement requires CHS to put in place data protection measures aimed at creating and maintaining a comprehensive security program that will safeguard both personal information (PI) and protected health information (PHI).
“All companies – but particularly those who deal on a regular basis with peoples’ sensitive personal information, including their private medical information – have a duty to use appropriate security measures to protect such data,” said Grewal in a prepared statement. “When companies fail to effectively safeguard the data they store, we know from history that hackers will seek to exploit that failure.”
Information security measures required under the settlement include the development of a written incident response plan; incorporation of security awareness and privacy training for all personnel with access to PHI; limitation of unnecessary or inappropriate access to PHI; and implementation of specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
“When businesses fail to maintain the kind of security measures that will safeguard sensitive consumer information, data breaches become easier for cybercriminals,” said Acting Division of Consumer Affairs Director Paul Rodriguez in a prepared statement. ” This settlement should serve as a message to all patient-care-related businesses in New Jersey that there are consequences attached to not protecting the data they typically ask for – and in many cases require – from consumers.”
States participating in the settlement are Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.