Community Health Systems announced on Monday that outside hackers gained access to their network and stole the non-medical, personal information of 4.5 million patients. The data included names, addresses, birth dates, telephone numbers and Social Security numbers—all information that is protected under the HIPAA regulations.
The affected patients had all either been referred for or received services from doctors affiliated with the hospital group within the last 5 years.
Community Health, which is based in Franklin, Tennessee, is one of the nation’s largest hospital operators with 206 hospitals in 29 states. The states with the largest number of hospitals in the Community Health network are Texas, Pennsylvania, Tennessee and Florida.
The hacking incident used malware and other technology to copy and transfer data from the Community Health system and is suspected by the hospital system and their security firm, Mandient, to have originated in China. These types of attacks are frequently aimed at gaining access to intellectual property, such as medical device and equipment development data. Eagle warned large healthcare providers of this threat, in this recent blog post.
Community Health has reported the breach to the proper authorities and is taking the proper steps to notify affected patients. This may be the 2nd largest of any breach reported to HHS in terms of the number of patient records exposed.
Targeted attacks are not common in healthcare. However, this breach provides evidence to large hospital systems who possess intellectual property that they are at risk from cyber espionage actors on a global level.
