October 8, 2020
Carson City, NV – Today, Nevada Attorney General
Aaron D. Ford announced that he, along with the Attorneys General of 27 other
States, has obtained a judgment against Tennessee-based CHS/Community Health
Systems, Inc., and its subsidiary, CHSPSC LLC.
This judgment resolves an investigation of a 2014 data breach which
impacted approximately 6.1 million patients, including 31,253 known patients in
At the time of the data breach, CHS owned,
leased, or operated 206 affiliated hospitals including the Mesa View Regional
Hospital in Mesquite, Nevada. Nevada
consumers may have also visited out-of-state clinics that were impacted by the
breach. Exposed in the breach were the names, birthdates, Social Security
numbers, phone numbers and addresses of patients.
The judgment, agreed
to by CHS, requires a $5 million payment to the States and provides that CHS
agrees to implement and maintain a comprehensive information security program
reasonably designed to safeguard Personal Information and Protected Health
Information (PHI), which will include specific information security
requirements. Nevada will receive $51,096.64 from the settlement.
“My office will continue to hold companies
accountable for the manner in which they collect and secure sensitive personal
information of Nevada consumers,” said AG Ford. “Settlements like this one promote
improved security procedures in order to safeguard that information. Even
companies that have not been breached should review recent settlements in this
arena and evaluate whether their policies and procedures for network security
should be enhanced.”
Specific information security measures
contained in the agreed judgment include the requirements to develop a written
incident response plan; to incorporate security awareness and privacy training
for all personnel who have access to PHI; to limit unnecessary or inappropriate
access to PHI and to implement specific policies and procedures regarding
business associates, including use of business associate agreements and audits
of business associates.
participating in this settlement include Alaska, Arkansas, Connecticut,
Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan,
Mississippi, Missouri, Nebraska, New Jersey, North Carolina, Ohio, Oregon,
Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont,
Washington, and West Virginia.