updated 06:34 pm EDT, Mon August 18, 2014
Personal information including social security numbers stolen, no medical information
Today, in a filing with the United States Securities and Exchange Commission (SEC), medical services provider Community Health Systems (CHS) revealed that it was the victim of a cyber attack that spanned a three-month period. According to the filing information, personal information from around 4.5 million patients was stolen, including Social Security numbers.
The company believes that the attack started in April and ran until June, but didn't give specific dates in the SEC document. According to the filing, the party responsible for the attack on the company's computer systems is believed to be a "Advanced Persistent Threat" group out of China. The group used "highly-sophisticated malware and technology" to carry out the attack. CHS learned of the attack source after it brought on Mandiant, a subsidiary of FireEye, to look into a possible breach.
While CHS has been working with Mandiant and federal law enforcement, the damage is found to be quite widespread. Typically, the hacking group involved seeks information regarding intellectual property, but evidence was found that the data stolen consisted of "non-medical patient identification data relating to the company's physician practice operations."
Patients that have dealt with CHS, which is one of the largest hospital operators in the United States, in the last five years are said to be affected. This includes any patients that received services or were referred to affiliated doctors. Currently, there are 206 hospitals in the network, across 29 states. The breach marks the largest theft from the healthcare industry since the attack on the Montana Department of Public Health in 2009.
Information that was stolen from for the approximately 4.5 million patients consisted of data that would generally be protected under the Health Insurance Portability and Accountability Act (HIPAA). CHS states that the information includes "patient names, addresses, birthdates, telephone numbers and Social Security numbers." However, no medical or clinical information was obtained, nor were any credit card numbers or other payment data involved.
CHS indicates that they are looking to prosecute the responsible parties, but if the attackers are confirmed to be in China, it's highly unlikely that anything would happen. The United States and China have a strained relationship when it comes to hacking and espionage, especially when demands are made for legal action.
Identity theft services are being offered to the patients affected by the data theft. CHS has already started notifying patients and other regulatory agencies.