Hackers steal over 4.5 million patient records from Community Health Systems
About 4.5 million patients at any of the 206 Community Health Systems-operated hospitals around the United States have had their records stolen by hackers, the company announced Monday. The stolen data includes very sensitive information.
Photo: MoD/MOD
Anyone who received treatment in a CHS-operated hospital over the last five years is affected by the breach. Additionally, patients who were merely referred to one of the company’s hospitals during that time period are also impacted.
The hackers stole names, Social Security numbers, physical address, birthdays and telephone numbers in two attacks this spring. It does not include credit card, medical or clinical information, the Wall Street Journal reported. (emphasis added, The Dispatch)
The attackers appear to be from a sophisticated “Advanced Persistent Threat” hacking group in China that has breached other major US companies across several industries, said Charles Carmakal, managing director with FireEye Inc’s Mandiant forensics unit, which led the investigation of the attacks on Community Health in April and June.
“They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected,” he told Reuters.
The hackers utilize sophisticated malware to conduct corporate espionage, and has typically sought valuable intellectual property, such as medical device and equipment development data, according to federal authorities and Mandiant, the company said.
CHS is notifying patients affected by the attack and offering them identity theft protection services.
The company owns, leases or operates 206 hospitals in 29 states, mostly in rural locations, according to the Wall Street Journal. It would be the largest theft of personal patient information since a US Department of Health and Human Services website began tracking medical breaches in 2009, Reuters reported.
The states impacted include the southeast and soutwest portions of America, including California, Texas, Florida, Georgia, Arizona and North Carolina.
The company is working closely with government law enforcement authorities during the course of their investigation. The Federal Bureau of Investigation said it’s working closely with the hospital network and “committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators,” according to CNNMoney.
CHS also hired cybersecurity firm Mandiant to investigate, and has since eradicated the malware from its systems. It has also implemented remediation efforts to prevent similar attacks in the future.
