Skip to Content

Attorney General Morrisey announces settlement in hospital data breach

CHARLESTON, W. Va. (WVVA) - WV Attorney General Patrick Morrisey has announced a $5 million, multi-state settlement with a leading hospital operator related to a data breach back in August of 2014.

The terms of the settlement require Community Health Systems Inc., also known as CHS, to pay $5 million to 27 states who are a party to the settlement.

The settlement also requires CHS to implement and maintain a comprehensive information security security program designed to protect personal and protected health information.

“All consumers rely upon businesses, especially hospitals, to secure their sensitive personal, identifiable information,” Attorney General Morrisey said.

“Any company that breaks that trust must be held accountable. This settlement emphasizes the meticulous protocols consumers expect to protect their information from unlawful use or disclosure.”

At the time of the breach in August of 2014, CHS owned, operated, or leased 206 affiliated hospitals.

These included five West Virginia entities:

  •  Oak Hill Clinic Corp.
  • Oak Hill Hospital Corp.
  • Bluefield Clinic Company LLC
  • Greenbrier Valley Anesthesia LLC
  • Greenbrier Valley Emergency Physicians and Ronceverte Physician Group

CHS is a Tennessee-based company and maintains control of over 92 hospitals, including Greenbrier Valley Medical Center for Ronceverte and Plateau Medical Center of Oak Hill, according to its website.

The state of West Virginia will receive an allotment of $73,897, and CHS patients in the state will benefit from the stringent security protocols implemented as part of the settlement.

The CHS data breach in August of 2014 impacted approximately 6.1 million people patients nationwide.

This included 75,597 consumers from the Mountain State.

The breach allowed for names, birth dates, Social Security numbers, phone numbers and patient addresses to be exposed.

Specific security measures within the settlement require CHS and subsidiary CHSPSC LLC to incorporate security awareness and privacy training, develop a written incident response plan and limit unnecessary or inappropriate access to protected health information.

They must also implement specific policies and procedures regarding business associates, including use of agreements and audits for those associates.

West Virginia joined the settlement with Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont and Washington.

For the latest news, go to our website at


Skip to content