Summary: An unknown group of hackers has stolen the personal information of over four million patients who were affiliated with Community Health Systems, Inc. The security breach is being investigated by federal agencies.
4.5 million patients have had their names, addresses, birth dates, telephone numbers, and Social Security numbers stolen in a massive cyber attack that seems to have originated in China. According to findlaw.com, the data was stolen from patients who were referred to or received services from doctors affiliated with Community Health Systems, Inc. in the past five years. The data was stolen over several weeks in April and June.
The information stolen did not include credit card numbers or medical or clinical information. The data that was stolen, however, was covered by the United States Health Insurance Portability and Accountability Act (HIPAA), the laws that govern the privacy of patient information.
Community Health has 206 hospitals in 29 states in the U.S. It stated it has removed all malware from its computer systems and is working to restore security to its network. Patients and regulatory agencies are being appropriately notified. It added that it is insured against such a loss, and that the security breach should not adversely affect its financial status. Its stock was actually up 48 cents at $51.48 on the New York Stock Exchange today.
Tomi Galin, spokeswoman for Community Health Systems, stated that the origins of the attack are believed to be in China.Both federal law enforcement and Mandiant, forensics experts with FireEye Inc., noted that the “methods and techniques” employed by the hackers were consistent with a known group of hackers in China. However, according to Community Health Systems’ regulatory filing, this group typically hunts for valuable intellectual property, such as medical device and equipment development data, as opposed to the personal information of patients. Galin did not comment as to whether the group was believed to be linked to the Chinese government. Galin also did not identify the hacker group by name.
A grand jury indicted five Chinese military officers in May on charges involving the hacking of companies in the United States for sensitive manufacturing secrets. The indictment is the most severe action that has been taken to address cyber spying. China, however, has denied the charges.
Healthcare providers were warned in April that their cyber security systems were not as secure as those of other sectors. The FBI informed these providers that this made their data systems vulnerable to hackers, as most hackers dig for details that can be used to access bank accounts or obtain prescriptions.
Photo credit: ccmostwanted.com