In 2014, a healthcare technology vendor (aka a Business Associate), Community Health Systems, Inc., experienced a breach that exposed parts of the personal health records of 6.1 million patients across 28 states. The breach was executed by a Chinese hacking group that exploited a known vulnerability known as OpenSSL “heartbleed” that we’ve discussed in the past. In September, OCR, the Office for Civil Rights announced a resolution with CHSI of $2.3 million along with a Corrective Action Plan (CAP). But that’s not where the story ends. 

In earlier reminders we mentioned how HHS had announced in 2019 they were going to be reducing assessed financial penalties against HIPAA violators. We cautioned that this was not to be interpreted as a gracious act by OCR, but rather a recognition that the true costs of a breach were being dwarfed by the penalties they had been levying against Covered Entities and Business Associates. And that is where our story here begins.

Recently, a settlement was announced between CHSI and 28 states who had sued the organization as a result of the breach. The assessed fine was $5 million, but what caught our attention was the Corrective Action Plan. 

To understand the severity of the punishment, consider that the breach was the result of a failure by IT to patch a known vulnerability, not the behavior of the workforce, like an errant click. Yet the CAP requires password management and policy enforcement, including implementation of multi-factor authentication. Both the OCR and this Corrective Active Plan can politely be described as extremely intrusive. For the most part, these actions weren’t surprising, but the requirement to conduct annual penetration testing was. Specifically, CHSI now must conduct annual risk assessments that include penetration testing. For the uninitiated, pen testing, as it’s commonly referred to, can be a costly proposition for an organization the size of CHSI, not to mention the time and effort that will be required to perform the tasks. 

Here’s the lesson. If you think a tax audit is bad, you haven’t experienced anything compared to the scrutiny and oversight CHSI will be under for the next few years. Never has the saying “penny wise and dollar foolish” been more appropriate. Had CHSI invested in effective risk management before the breach incident, much of this punishing enforcement, possibly all of it, could have been avoided. So if you’re on the fence about conducting regular risk assessments or investing in recommended best cybersecurity practices, think about what CHSI is going through and ask yourself if you want to walk in their shoes. 

Let us help protect you. We can complete a thorough risk assessment before the end of the year so if the authorities come asking for a copy of your risk assessment report, you’ll be prepared.