Settlement reached in hospital data-breach case
WARREN — The former parent company of Trumbull Regional and Northside medical centers has reached a settlement with the attorney generals of 28 states over cases related to a 2014 data breach.
The breach impacted about 6.1 million patients nationwide.
Trumbull County Common Pleas Judge Ronald J. Rice made the order this week in the civil case filed by Ohio Attorney General Dave Yost against Community Health Systems Inc., the Delaware corporation that owned the two medical centers at the time of the data breach.
Rice’s order directs Yost to be paid a $162,939 share of the $5 million settlement.
In July 2014, CHS confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. Hackers gained access to patient names, addresses, birth dates, telephone numbers and Social Security numbers. Credit card details and medical data were not breached, but it was one of the largest health-care data breaches to date.
Tens of thousands of Ohioans may have been impacted by the breach, including patients referred to Northside Medical Center in Youngstown, Trumbull Memorial Hospital in Warren, Hillside Rehabilitation Hospital in Howland, and Sharon Regional Health System.
Immediately afterward, CHS had sent letters to the patients who may have had service five years before the breach, offering them one year of free credit monitoring.
Subsequently, a lawsuit awarded atients impacted by the breach up to $5,000 in event of losses incurred by any identity theft or fraud.
Under the terms of the settlement, CHS — which had since sold its local interests in healthcare to Steward Health Care — has also agreed to take a number of steps to prevent future breaches. These include providing regular security and privacy training for employees who handle sensitive patient data; developing a plan to ensure that any needed software patches are applied in a timely manner to avoid allowing security gaps; conducting an annual risk assessment of the CHS network, and developing a plan for protecting data; and implementing and maintaining policies to track and protect all company computers, phones and other devices that have access to or transmit sensitive patient data.