Attorney General Ford Joins 28-State Settlement Resolving Community Health Systems Data Breach Investigation

October 8, 2020

Carson City, NV – Today, Nevada Attorney General Aaron D. Ford announced that he, along with the Attorneys General of 27 other States, has obtained a judgment against Tennessee-based CHS/Community Health Systems, Inc., and its subsidiary, CHSPSC LLC.  This judgment resolves an investigation of a 2014 data breach which impacted approximately 6.1 million patients, including 31,253 known patients in Nevada.

At the time of the data breach, CHS owned, leased, or operated 206 affiliated hospitals including the Mesa View Regional Hospital in Mesquite, Nevada.  Nevada consumers may have also visited out-of-state clinics that were impacted by the breach. Exposed in the breach were the names, birthdates, Social Security numbers, phone numbers and addresses of patients.

The judgment, agreed to by CHS, requires a $5 million payment to the States and provides that CHS agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard Personal Information and Protected Health Information (PHI), which will include specific information security requirements. Nevada will receive $51,096.64 from the settlement.

“My office will continue to hold companies accountable for the manner in which they collect and secure sensitive personal information of Nevada consumers,” said AG Ford.  “Settlements like this one promote improved security procedures in order to safeguard that information. Even companies that have not been breached should review recent settlements in this arena and evaluate whether their policies and procedures for network security should be enhanced.”

Specific information security measures contained in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to PHI; to limit unnecessary or inappropriate access to PHI and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.

Other states participating in this settlement include Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.