AGs Settle with Hacked Hospital System

  • A group of 28 AGs, led by Tennessee AG Herbert Slatery III, reached a settlement with national hospital system Community Health Systems Inc. and its subsidiary (collectively “CHS”) to resolve allegations that CHS failed to protect the sensitive and health-related data of millions of consumers in a 2014 cyberattack in violation of the states’ respective consumer protection laws.
  • According to the Tennessee complaint, the allegations stem from CHS’s disclosure that hackers used malware to access its systems and steal sensitive personal and health-related patient information.
  • Under the terms of the settlement, CHS will pay $5 million to the settling states and will fortify its data security by, among other things, developing a written incident response plan, adding security and privacy training for all personnel with access to sensitive information, limiting access to sensitive information to those employees who need it for their work, and implementing more robust data security policies and procedures regarding its business associates.