US Healthcare Provider Hacked, 4.5 Million Patient Records Stolen

Community Health Systems (CHS), a major US operator of general hospital healthcare, has lost patient records of 4.5 million people in a hacker attack.

According to Reuters, data stolen in the breach included names, addresses, birth dates, telephone numbers and Social Security numbers. No financial data or medical information was compromised.

CHS said the digital forensics work conducted by the law enforcement agencies and security specialist Mandiant, a subsidiary of FireEye, suggests that the attack originated from China.

The question of value

CHS is a Fortune 500 company based in Nashville, Tennessee. Through its affiliates it owns, leases or operates 206 hospitals in 29 states, employing more than 135,000 people.

The attack was likely carried out between April and June and affects 4.5 million people who received medical services from the company in the past five years.

Mandiant reported that “the methods and techniques” used in the attack were similar to those employed by a notable hacker group in China. The company refused to name the group or disclose whether it has links to the Chinese state. It did say that this group is usually interested in valuable intellectual property, not personal data.

FBI told Reuters it is investigating the case, but didn’t elaborate further.

CHS said it removed the malware from its systems and is currently notifying the affected patients, as required by law. It added that the company is insured against data loss and the breach shouldn’t have an impact on its financial results.

Just like other recent victims of high-profile data breaches – Target and more recently, US retail chain SuperValu – CHS will offer free identity theft protection services to affected customers.

In April, the FBI warned US healthcare providers that their cybersecurity systems were lax compared with other sectors. The agency said that medical records were actually more valuable to cyber criminals than credit card numbers since they could be used to gain access to a bank account or obtain prescriptions for controlled substances.

“From a consumer standpoint this is the worst type of breach. When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards but when personal information is stolen –  name, address, phone number, birth dates, and social security number – it impacts the person and not a company,” commented Lamar Bailey, director of security R&D at Tripwire.

“This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims. The other concern is that this data can be used on the black market to create new identities for scores of criminals and terrorists. Anyone affected by this breach should freeze their credit immediately to stop new credit accounts from being open without their consent.”

What do you do when tech fails? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago