About 4.5 million patients at any of the 206 Community Health Systems-operated hospitals around the United States have had their records stolen by hackers, the company announced Monday. The stolen data includes very sensitive information.
Anyone who received treatment in a CHS-operated hospital over the last five years is affected by the breach. However, patients who were merely referred to one of the company’s hospitals during that time period are also impacted. The hackers stole names, Social Security numbers, physical address, birthdays and telephone numbers in two attacks this spring. It does not include credit card, medical or clinical information, the Wall Street Journal reported.
The attackers appear to be from a sophisticated "Advanced Persistent Threat" hacking group in China that has breached other major US companies across several industries, said Charles Carmakal, managing director with FireEye Inc's Mandiant forensics unit, which led the investigation of the attacks on Community Health in April and June.
"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," he told Reuters.
The intruder uses high-end, sophisticated malware to conduct corporate espionage, and has typically sought valuable intellectual property, such as medical device and equipment development data, according to federal authorities and Mandiant, the company said.
CHS is notifying patients affected by the attack and offering them identity theft protection services. The company owns, leases or operates 206 hospitals in 29 states, mostly in rural locations, according to the Wall Street Journal. It would be the largest theft of personal patient information since a US Department of Health and Human Services website began tracking medical breaches in 2009, Reuters reported.
The 4.5 million affected patients and referrals are at heightened risk for identity theft, as the hackers ‒ or those they sell the data to ‒ could potentially open bank accounts or credit cards under their names. They could also take out loans and otherwise ruin people’s personal credit history.
The company is working closely with government law enforcement authorities during the course of their investigation. The Federal Bureau of Investigation said it's working closely with the hospital network and "committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators," according to CNNMoney.
CHS also hired cybersecurity firm Mandiant to investigate, and has since eradicated the malware from its systems. It has also implemented remediation efforts to prevent similar attacks in the future.
The hospital operator is located in Franklin, Tennessee. Shares of Community Health climbed 38 cents to $51.38 late Monday morning, while broader trading indexes also rose less than 1 percent, the Associated Press reported.