Community Health Systems announced they suffered a data breach resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.
In a regulatory filing with the U.S. Securities and Exchange Commission, the company said it was attacked during April and June of this year by an “Advanced Persistent Threat” group believed to be operating out of China.
Community Health Systems, which operates 206 hospitals in 29 states, with the most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas, said the stolen information included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing. It did not include medical or clinical information.
“It’s hard to tell why these guys took the data or what they plan to do with it,” said Charles Carmakal, managing director with FireEye Inc’s Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June, whose firm monitors about 20 hacking groups in China.
Based on Mandiant’s investigation, Community Health Systems believes that the attack originated from China and that the hackers used “highly sophisticated malware and technology to attack the Company’s systems.” The company notes that these attacks typically go after intellectual property like medical device and equipment development data. However, this time around, the hackers went after personal records.
Community Health Systems has since then eradicated the attackers’ malware from its systems and increased its computer defenses to prevent future attacks. The company said it would be providing identity theft protection to affected patients and carried cyber insurance to mitigate some of its losses.