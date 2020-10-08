FLORENCE, S.C. — South Carolina Attorney General Alan Wilson has obtained a judgment against the company that previously owned MUSC Health Florence Medical Center over a July 2014 data breach.
Wilson's office announced that it and the offices of attorneys general in 27 other states obtained a judgment in a settlement agreement with CHS/Community Health Systems and its subsidiary, CHSPSC LLC.
Other states participating in this settlement include Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.
In July 2014, Community Health Systems confirmed that it was the target of an external criminal cyber attack in April and June of 2014. At the time, it owned, leased, or operated 206 affiliated hospitals nationwide including four in South Carolina. Those hospitals included facilities in Florence and Marion. The company sold those four hospitals to MUSC in 2018 for $154 million.
“Privacy data breaches have been on the rise for years now, and we are challenged with balancing business interests as well as those of our South Carolina consumers,” Attorney General Wilson said. “Our office feels this is a fair settlement with procedures put in place to hopefully deter, or at least minimize, future data breach incidences that impact our state.”
The judgment requires a $5 million payment to the states and provides that Community Health Systems agrees to implement and maintain a comprehensive information security program reasonably designed to safeguard personal information and protected health information, which will include specific information security requirements. Specific information security measures contained in the agreed judgment include the requirements to develop a written incident response plan; to incorporate security awareness and privacy training for all personnel who have access to personal health information; to limit unnecessary or inappropriate access to personal health information and to implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates.
