Community Health Systems, a publicly traded hospital operator based in Franklin, TN, which runs 206 hospitals in 29 states said that personal data, including names, Social Security numbers and addresses, for 4.5 million patients had been compromised in a Chinese cyberattack on its systems from April to June, as reported in the NY Times. This is the second largest HIPAA breach ever reported. The personal information hackers were able to steal included names, Social Security numbers, addresses, birth dates and telephone numbers for the patients, who had been referred to or treated by doctors affiliated with the company over the last five years.
CHS has engaged Mandiant (a division of FireEye Security) to run forensics on the attack. The breach was reported to the Securities and Exchange Commission as well as the affected patients as required by HIPAA regulations.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights reports that over 90,000 HIPAA breach cases have been reported since 2003. When Director Leon Rodriguez was asked why so many breaches have occurred Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis," Although HIPAA provides for fines of up to $1.5 million per year for covered entities and business associates responsible for violating HIPAA privacy and security rules by failing to safeguard patient protected health information only 17 fines (out of 90,000 reported breaches) have been levied.
As breaches become larger and more prevalent it would be unsurprising if large HIPAA fines become more commonplace especially if the breached organization has not invested in proper security - including both the technology and the senior management to run it.