Community Health Systems says personal data stolen in cyber attack by reuters
(Reuters) — U.S. hospital operator Community Health Systems Inc. said on Monday personal data, including patient names and addresses, of about 4.5 million people were stolen by hackers from its computer network, likely in April and June.
The company said the data, considered protected under the Health Insurance Portability and Accountability Act, included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, Community Health Systems said in a regulatory filing.
It said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years.
The FBI warned healthcare providers in April that their cyber security systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions, Reuters previously reported.
The company said it and its security contractor, FireEye Inc. unit Mandiant, believed the attackers originated from China. They did not provide further information about why they believed this was the case. They said they used malware and other technology to copy and transfer this data and information from its system.
Community Health, which is one of the largest hospital operators in the country with 206 hospitals in 29 states, said it was working with federal law enforcement authorities in connection with their investigation into the attack. It said federal authorities said these attacks are typically aimed at gathering intellectual property, such as medical device and equipment development data.
It said that prior to filing the regulatory document, it had eradicated the malware from its systems and finalized the implementation of remediation efforts. It is notifying patients and regulatory agencies as required by law, it said.
It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.