No Security Awareness Training? Wait For The Class Action Lawsuit.
A Tennessee-based health system's legal settlement will cost them millions.
Quite the shocker of a title, right?
It's real.
After its painful 2014 breach, Community Health System (CHS) just settled another class action lawsuit related to a prior data breach. It was a big one - over 6 million patients affected.
And yes, we said "another" lawsuit, meaning this is the second massive settlement for the same breach.
The first settlement amounted to $3.1 million for the six million plus patients affected. The most recent, their second settlement, hit $5 million to settle investigations with regulators. Regulators weren't too fond of the lax security procedures they discovered.
As part of the settlement, the health system agreed to implement a list of (very useful!) security measures, including:
- develop a written incident response plan
- incorporate security awareness training for all personnel
- limit access to protected health information
- implement specific policies regarding business associates.
To be fair, we're kind of shocked these items weren't already in place.
It would be comforting at this point to think this is a one-off. It's not a one-off. Class action suits appear to be a new normal in the aftermath of cyber attacks.
In particular, the healthcare industry is under fierce attack. And this has only increased during the Coronavirus pandemic.
Healthcare organizations have a tremendous amount of sensitive patient information. The burden of protecting that information is increasing - coming from regulators, patients and those class action lawyers.
Remember, hackers have upped their game. Ransomware attacks now start by stealing as much data as they can find. Only after they grab all this data do they encrypt (or lock) your network and issue their ransom demands. If you don't pay up, those stolen files will quickly find their way to the Dark Web, where anything can happen.
It's nasty.
The good news is that