Lawsuit Against Community Health Systems 4.5 Million-Record Data Breach Finally Reached a Settlement

by

Community Health Systems’ (CHS) is offering compensation to its patients for the theft of their protected health information (PHI) during a cyberattack in 2014. Community Health Systems Tennessee is one of the biggest healthcare systems managing more than 200 hospitals in the U.S.

In 2014, CHS found that malware was installed on its systems, which allowed unauthorized persons to access patient data from April to June 2014. It is believed that people behind the cyberattack were threat actors located in China.

The attackers used an advanced variant of malware for the sole intention of acquiring sensitive data. Upon investigation of the breach, it was confirmed that patient information such as names, addresses, telephone numbers, birth dates, and Social Security numbers were exfiltrated. The attackers were able to steal the PHI of 4.5 million patients.

Back in 2014, it was the biggest healthcare data breach reported to the Department of Health and Human Services’ Office for Civil Rights. It is still one of the top six biggest healthcare data breaches ever.

After the breach, patients filed many lawsuits seeking compensation for their stolen personal data. The lawsuits were combined into just one lawsuit, which made it through the attempts of CHS for case dismissal. Now, the case reached a settlement.

The settlement states two payment options for breach victims. Persons who can show that they have sustained out-of-pocket costs because of the breach and/or can present proof of time lost protecting their accounts, can assert around $250 in settlement. Persons who sustained identity theft or fraud because of the breach can get around $5,000 in damages

Legal fees amounting to $900,000 were also covered by the settlement agreement in addition to a payment of $3,500 for every representative class member.

To be eligible for payment, victims should submit a compensation claim by August 1, 2019. Persons who do not agree to the settlement and those who want to submit an objection can notify CHS until May 18.

The settlement still needs to be evaluated for justness and sanctioned by a judge. A hearing was scheduled on August 13, 2019.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]