Rutledge announces over $130,000 in settlement against community health systems following data breach


Arkansas Attorney General Leslie Rutledge with a bipartisan group of state attorneys general speaks to reporters in front of the U.S. Supreme Court in Washington, Monday, Sept. 9, 2019. A bipartisan coalition of 48 states along with Puerto Rico and the District of Columbia said Monday it is investigating whether Google’s search and advertising business is engaged in monopolistic behavior. It follows a Friday announcement of a similar multistate probe targeting Facebook. (AP Photo/Manuel Balce Ceneta)

January 01 2022 12:00 am

LITTLE ROCK, Ark. – Arkansas Attorney General Leslie Rutledge today announced a settlement against Community Health Systems, Inc. (CHS) following a data breach that impacted nearly 190,000 Arkansans and 6.1 million patients across the country. At the time of the breach, CHS owned, leased or operated 206 affiliated hospitals including six hospitals located in Arkansas.

Exposed in the breach were the names, birthdates, social security numbers, phone numbers, and addresses of patients.

“Arkansas law requires businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures in order to safeguard that information,” said Attorney General Rutledge. “The terms of this settlement serve to promote rigorous compliance so that patient information will be protected from unlawful use or disclosure.”

Arkansas, along with 27 other states, obtained the judgment agreed to by CHS. It requires a $5 million payment to the States and provides that CHS agrees to implement and maintain a comprehensive information security program to safeguard Personal Information (PI) and Protected Health Information (PHI), which will include specific information security requirements. Arkansas will get $130,921.50 from the settlement. The money will be used to fund civil law enforcement and consumer education efforts.

Specific information security measures contained in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to PHI; to limit unnecessary or inappropriate access to PHI and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.

Other states participating in this settlement include Alaska, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

Copyright 2021 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Trending Stories

Don't Miss