Healthcare Information Security

HIPAA and Compliance News

Community Health Systems Reaches Settlement over 2014 Breach of 4.5M

While the lawsuit settlement must still be approved by the judge, patients impacted by the breach could receive up to $5,000 in losses incurred by identity theft or fraud.

CHS health data breach settlement

By Jessica Davis

- Tennessee-based Community Health Systems reached a settlement with the 4.5 million patients impacted by its 2014 data breach.

CHS operates more than 200 hospitals across the country and is one of the largest hospital networks in the U.S. In August 2014, officials confirmed to the Securities and Exchange Commission that the data of 4.5 million patients was compromised between April 2014 and June 2014 due to a malware attack.

According to officials, Chinese hackers leveraged an advanced persistent threat with advanced malware, solely focused on obtaining intellectual data. The hackers exfiltrated patient names, Social Security numbers, addresses, dates of birth, and phone numbers. Credit card details and medical data were not breached. It’s still one of the largest healthcare data breaches to date.

Patients filed several lawsuits shortly after being notified of the breach, which were later consolidated into one case in the federal court of the Northern District of Alabama. CHS sought to have the case dismissed, which was denied by a judge in September 2016.

The settlement was filed in late December and will still need to be approved by a judge during an August 13 fairness hearing.

All patients impacted by the breach are entitled to two types of payments, depending on qualifications. They’ll receive up to $250 for out-of-pocket expenses and documented time lost due to the breach. And those who experienced identity theft or fraud due to the cyberattack will receive up to $5,000.

The lawsuit counsel also requested approval to award attorney’s fees for the case, or about $900,000, as well as an incentive award of $3,500 for each representative plaintiff.

Impacted patients must file a compensation form by August 1 to be included in the settlement or ask to be excluded by May 18. CHS has maintained there was no wrongdoing on their part.

It’s been a tough few years for CHS. The health system filed a lawsuit against Steward Health Care in November, alleging Steward failed to pay more than $10 million for the acquisition of eight CHS hospitals. Filed in August, CHS is also facing scrutiny for its EHRs and meaningful use by SEC.

And in April 2018, Microsoft sued CHS for alleged copyright infringement, after some hospitals recently sold by CHS continued to use Microsoft products without a contract.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...