On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million patients, including 45,000 New Jersey residents. This is after CHS agreed to pay $2.3 million in settlement for HIPAA violations alleged by the Office for Civil Rights.

The AG filed a complaint against CHS following the data breach alleging misrepresentation and violation of the New Jersey Consumer Fraud Act because CHS disclosed to consumers that it “employed security measures to protect information from unauthorized disclosure through various means such as encryption.”

The complaint alleged that CHS failed to implement and maintain reasonable security for the personal information that it collected and maintained, failed to provide security and confidentiality of stored information, and permitted unauthorized disclosure of protected health information inconsistent with HIPAA.

CHS and its subsidiary CHSPSC LLC agreed to pay $5 million to 28 participating states. In the final consent judgment, CHS denied the facts as alleged or any liability for the data breach.