Community Health Systems, operating 206 hospitals in 28 states, announced Monday that hackers have broken into their computer system and stolen personal data from 4.5 million patients’ records. The hackers have been traced to China. Information stolen includes patient names, addresses and telephone numbers, as well as birth dates and Social Security numbers. According to a report filed with the federal government by Community Health, no medical or credit card information was accessed.
The information stolen is protected under the Health Insurance Portability and Accountability Act (HIPAA), which requires notification to federal authorities and affected patients within 60 days of discovering a breach of protected health information (PHI). The media must be informed if the breach affects more than 500 individuals. According to the health system the breach apparently occurred in April and June, although some sources say it happened in July.
The hospital system has hired Mandiant, a corporate forensic expert, to investigate. They believe the hackers are based in China and that they bypassed security measures using sophisticated malware. Other large corporations have been subjected to cyber attacks this year, most notably the attack on Target stores last Christmas that obtained credit and debit card data on 40 million shoppers.
A group of Chinese cyber spies has been attacking the healthcare industry for the past four years. They infiltrated a U.S. drug maker by hacking into the computer system of a company it was about to acquire. Other incidents include pharmaceutical labs being accessed through their university researcher connections, resulting in the loss of trade secrets such as drug trial data. The Chinese hacker group has forced drug and medical technology companies to make large investments in computer security.
High-level hacking by the Chinese coincides with a push by the Chinese government to invest in health care. China’s medical device industry is growing rapidly and intellectual property is being targeted heavily. Vice president for the network security company Trend Micro Inc. JD Sherry says the cyber spies are looking for trade secrets that would allow them to manufacture the items in China.
The group has also stolen the medical records of Chinese patients being treated in the U.S. According to Dmitri Alperovitch, who is Crowdstrike’s chief technology officer, this hospital data may be used for blackmail or intelligence recruiting. Stealing addresses and social security numbers from Community Health Systems marks a new avenue of theft for the group, since this type of data is normally taken only for identity fraud.
A spokesman for the Chinese embassy in Washington has responded to the allegations saying it is based on fabricated, unprovable evidence. However, technical details of the Community Health Systems hack have allowed many cybersecurity investigators to say they instantly recognized the intruders.
The patients affected by the hospital records breach were treated over the last five years by Community Health Systems affiliated physicians. This is the second-largest attack of this type involving patient information since such breaches began to be tracked by the U.S. Department of Health and Human Services in 2009. The largest occurred in 2011, affecting 4.9 million individuals.
Community Health Systems carries cyber/privacy liability insurance, but said the attack may result in litigation, regulatory inquiries, remediation expenses and other liabilities. Bloomberg reports that the 4.5 million stolen hospital records may be the first time the Chinese hackers have targeted consumer data rather than medical engineering and technical information.
By Beth A. Balen