4.5 Million Patient IDs Compromised in Hospital Hack (PCMagazine)

·        BY DAMON POETER  AUGUST 18, 2014

The hack of Community Health Systems, operator of 200-plus hospitals, is believed to have come from China.

One of the country's biggest hospital operators, Community Health Systems, on Monday announced that its computer network was the "target of an external, criminal cyber attack" which saw the compromise of patient identification data for "approximately 4.5 million individuals."

The attacker or attackers are believed to have originated in China, according to Community Health Systems and its IT security contractor, Mandiant.

Community Health Systems, which operates more than 200 hospitals in the United States, revealed the breach in a Form 8-K filing with the U.S. Securities and Exchange Commission.

The hack of the computer network occurred in July, the publicly traded company said. Data stolen in the breach "did not include patient credit card, medical, or clinical information," Community Health Systems said, but did include "patient names, addresses, birthdates, telephone numbers, and social security numbers," which are protected under the Health Insurance Portability and Accountability Act (HIPAA).

Community Health Systems said Mandiant, serving as the company's forensic expert for the breach, believed "the attacker was an 'Advanced Persistent Threat' group originating from China who used highly sophisticated malware and technology to attack the company's systems."

The intruder or intruders behind the attack is known to federal authorities, according to Community Health Systems.

"The company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data," the SEC filing said.

However, the July intrusion focused on "non-medical patient identification data related to the company's physician practice operations," Community Health Systems said.

Attorney Nick Akerman, a partner at international law firm Dorsey and Whitney with a specialization in computer crimes, said the scope of the breach was very concerning.

"The danger here is not only in the patient's privacy but the fact that they could be victims of identity theft because of the credit card information that was stolen," Akerman said. "It is unlikely that the Chinese hackers care about the health information. What is key is the financial information on the patients."

Community Health Systems said it was "providing appropriate notification to affected patients and regulatory agencies." The company said it has finished removing the malware installed by the attackers in its computer systems and was working with Mandiant on other remediation and preventative measures to avoid future intrusions.

Damon Poeter got his start in journalism working for the English-language daily newspaper The Nation in Bangkok, Thailand. He covered everything from local news to sports and entertainment before settling on technology in the mid-2000s. Prior to joining PCMag, Damon worked at CRN and the Gilroy Dispatch. He has also written for the San Francisco Chronicle and Japan Times, among other newspapers and periodicals.