US Healthcare Provider Hacked, 4.5 Million Patient Records Stolen

Community Health Systems (CHS), a major US operator of general hospital healthcare, has lost patient records of 4.5 million people in a hacker attack.

According to Reuters, data stolen in the breach included names, addresses, birth dates, telephone numbers and Social Security numbers. No financial data or medical information was compromised.

CHS said the digital forensics work conducted by the law enforcement agencies and security specialist Mandiant, a subsidiary of FireEye, suggests that the attack originated from China.

The question of value

CHS is a Fortune 500 company based in Nashville, Tennessee. Through its affiliates it owns, leases or operates 206 hospitals in 29 states, employing more than 135,000 people.

The attack was likely carried out between April and June and affects 4.5 million people who received medical services from the company in the past five years.

Mandiant reported that “the methods and techniques” used in the attack were similar to those employed by a notable hacker group in China. The company refused to name the group or disclose whether it has links to the Chinese state. It did say that this group is usually interested in valuable intellectual property, not personal data.

FBI told Reuters it is investigating the case, but didn’t elaborate further.

CHS said it removed the malware from its systems and is currently notifying the affected patients, as required by law. It added that the company is insured against data loss and the breach shouldn’t have an impact on its financial results.

Just like other recent victims of high-profile data breaches – Target and more recently, US retail chain SuperValu – CHS will offer free identity theft protection services to affected customers.

In April, the FBI warned US healthcare providers that their cybersecurity systems were lax compared with other sectors. The agency said that medical records were actually more valuable to cyber criminals than credit card numbers since they could be used to gain access to a bank account or obtain prescriptions for controlled substances.

“From a consumer standpoint this is the worst type of breach. When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards but when personal information is stolen –  name, address, phone number, birth dates, and social security number – it impacts the person and not a company,” commented Lamar Bailey, director of security R&D at Tripwire.

“This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims. The other concern is that this data can be used on the black market to create new identities for scores of criminals and terrorists. Anyone affected by this breach should freeze their credit immediately to stop new credit accounts from being open without their consent.”

What do you do when tech fails? Take our quiz!