According to several national news sources, such as Fox4 News Kansas City, CNNMoney, Reuters, the Wall Street Journal, USA Today, and the Chicago Tribune, Community Health Systems, which is based in Franklin, Tennessee, and which operates 206 hospitals in 29 states across the country, announced Monday that Chinese hackers recently broke into its computers and stole data on 4.5 million patients. The data included the patients’ names, Social Security numbers, physical addresses, birthdays, and phone numbers. Apparently, anyone who received treatment from a network-owned hospital in the last five years, or was merely referred there by an outside doctor, has been affected. Although the hackers did not steal information related to patients’ medical histories, clinical operations, or credit cards, the large data breach puts these patients at heightened risk of identity fraud that allows criminals to open bank accounts and credit cards on their behalf, take out loans, and ruin personal credit history. Community Health Systems hospitals operate in 29 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee, and Texas. This attack is apparently the largest of its type involving patient information since a Department of Health and Human Services (“DHHS”) website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
The hospital network hired cybersecurity experts at Mandiant to consult on the hack and said that they had managed to wipe the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins. Federal investigators and Mandiant told the hospital network that the hackers had previously been spotted conducting corporate espionage, targeting valuable information about medical devices. The rural hospital operator Community Health Systems and Mandiant believe that the attacker was an “Advanced Persistent Threat” group originating from China. The attacker, who used highly sophisticated malware and technology to attack the company’s systems sometime in April and June of this year, was able to bypass Community Health Systems’ security measures and to successfully copy and transfer certain data outside the company. The intruder has in the past typically sought valuable intellectual property, such as medical device and equipment development data, according to federal authorities and Mandiant.
According to the Form 8-K filed Monday with the United States Securities and Exchange Commission (“SEC”) by Community Health Systems, “[t]he attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company. Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack. . . . The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.”
As Jon Tomes always mentions in his seminars, webinars, books, and articles, the greatest threat in a data breach is usually not the medical information that leaks out (unless it is medical data that is relevant to, say, for example, a celebrity’s status) but instead the personal data that leaks out that can be used for identity theft, as in this case.
Have you checked your cybersecurity lately? Is your system really secure? Have you performed/updated your required risk analysis under HIPAA? Do you need a pen test? Do want to get your organization HIPAA compliant in one fell swoop? Call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at patrick@veteranspress.com. While you are talking with Patrick, ask him about our upcoming two-day Hands-on HIPAA Workshop aboard the Queen Mary anchored in Long Beach, California, October 16-17, 2014.