Personal info of 4.5 million patients stolen in US hospital group breach

Community Health Systems, a major group that operates 206 hospitals throughout the US, has suffered a massive data breach: personal information of some 4.5 million patients has been stolen from their systems.

The data in question includes patients’ names, addresses, birth dates, telephone numbers and Social Security numbers.

News of the breach broke after the company filed a report with the Securities and Exchange Commission.

In it they explained that the attack happened in April and June 2014, and was discovered in July.

The company has hired forensic experts from Mandiant to investigate the breach, and they believe the attacker was an APT group originating from China, which was able to bypass the company’s security measures and successfully copy and transfer certain data. They haven’t said which group it is, or if they believe it to be connected to the Chinese government.

Mandiant experts are also advising them regarding remediation efforts, and have made sure that all malware was removed from the company’s systems.

“The company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data,” they noted.

“However, in this instance the data transferred was non-medical patient identification data related to the company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the company.”

The only good news is that patients’ credit card, medical or clinical information hasn’t been compromised.

“From a consumer standpoint this is the worst type of breach,” commented Lamar Bailey, Director security R&D, Tripwire. “When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards but when personal information is stolen – name, address, phone number, birth dates, and social security number – it impacts the person and not a company.”

“This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims. The other concern is that this data can be used on the black market to create new identities for scores of criminals and terrorists,” he concluded, and advised that anyone affected by this breach should freeze their credit immediately to stop new credit accounts from being open without their consent.

“This is a pretty big deal. Healthcare systems seem to be getting a closer eye on them by attackers. This may be due to each healthcare provider/network possibly having different standards to information security (some maybe more lax than others),” noted Jonathan French, a security analyst with AppRiver.

“Ignoring that it was a healthcare breach and looking at the data, this is similar to most other breaches,” he commented, and pointed out that the main thing to worry about is the compromised Social Security numbers.

“The other data alone can do damage, but having valid Social Security numbers and the other information tied to the numbers can possibly cause a lot of damage. And with 4.5 million of these, I imagine this information, if sold, could be pretty profitable for the attackers,” he added.

The company is collaborating with federal law enforcement authorities, is working on notifying affected individuals, and will be offering identity theft protection services to them.

Time will tell how costly this breach will turn out to be for the company, but some of the costs will be alleviated by the cyber/privacy liability insurance they took out to protect themselves against this type of loss.

Don't miss