Community Health Systems, Inc. reported in a Securities and Exchange Commission (SEC) filing that a 4.5 million patient-data breach in which Chinese cyber criminals hacked into its computer network with malware between April and June 2014.
According to Reuters, Community Health operates 206 hospitals across 29 states and is among the largest publicly-traded hospital companies in the U.S. Compromised patient data included names, addresses, birth dates, telephone numbers and Social Security numbers, but no credit card or medical data were involved. Affected patients had either been referred to or received treatment from the hospital operator’s doctors within the past five years. And because it was a HIPAA violation, the organization is alerting all 4.5 million affected patients while also providing free identity-theft protection services.
The Wall Street Journal report adds that Community Health Systems and its security vendor Mandiant maintain that the Chinese “Advanced Persistent Threat” group was the culprit. The group was able get through Community Health’s network security with advanced malware. Mandiant also said that in the past the Chinese hacker group had looked for intellectual property, including medical device data. As a result of the breach, Community Health says it has removed the malware from its system entirely and will beef up its network security to avoid future attacks.
Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack. The Company also engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts.
In the SEC filing, Community Health Systems said that it doesn’t believe the breach will have an impact on its business.
The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.