Franklin-based Community Health Systems has agreed to pay $5 million in a multistate settlement related to its 2014 data breach that impacted 6.1 million patients, including nearly 450,000 in Tennessee.
Tennessee Attorney General Herbert Slatery joined 27 other states in the action against CHS, as well as federal regulators, which settled with the hospital company two weeks ago for $2.3 million and a probationary period. The company also agreed to settle a class action over the breach last year.
Tennessee will receive up to $667,000 as part of the state settlement. In addition, CHS will be required to implement and maintain a comprehensive security program to safeguard patient information. According to the attorney general's office, that program will include a written incidence response plan for security and privacy training, limiting access to personal health information and implementing new internal policies surrounding cybersecurity.
CHS officials contend the allegations against them in the multiple suits are inaccurate and that the company cooperated with the FBI to resolve the breach since it occurred.
"Community Health Systems is pleased to have resolved this six-year-old matter in which it admitted no wrongdoing," a spokesperson told the Nashville Post. "The Company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack."