Bloomberg News

Data for 4.5 Million Patients Stolen From Hospital Group

August 19, 2014

178795084

Hacker! Photo: iStock via Getty Images

Chinese hackers stole social security numbers, names and addresses from 4.5 million patients of Community Health Systems Inc., the second-biggest for-profit U.S. hospital chain, according to the company.

The attacks occurred in April and June, the Franklin, Tennessee-based company said yesterday in a U.S. regulatory filing. The hacker group originated from China and bypassed the company’s security system, making off with non-medical information from people who visited doctors’ offices associated with the company.

“Unfortunately, we have joined numerous American companies and institutions who have been victimized by highly sophisticated, criminal cyber-attacks originating out of China,” Tomi Galin, a spokeswoman for Community Health, said in an e-mail. “Importantly, no patient medical or financial information was transferred as a result of this intrusion.”

Community Health is among several companies that have reported similar breaches. Supervalu Inc., a U.S. supermarket chain, said Aug. 15 that it suffered an attack that exposed customers’ credit- and debit-card information. The retailer Target Corp. was breached last year by Eastern European hackers who stole credit card numbers and other personal data from at least 70 million customers in one of the biggest retail hacking incidents in U.S. history.

‘Groundless Accusations’

The Chinese embassy in Washington said it wasn’t aware of the attack. “Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an e-mail. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”

The company could have done a better job safeguarding the data, said one electronic security expert. “There is no indication that this data was encrypted, which creates further challenges for the organization and the patients impacted,” JD Sherry, vice president for network security company Trend Micro Inc., said in an e-mail.

Community Health said it hired electronic forensics specialist Mandiant Corp., a subsidiary of FireEye Inc. (FEYE:US), to investigate the incident and suggest security improvements. The hospital operator also working with the U.S. Federal Bureau of Investigation.

State-Sponsored Hack

“We understand the significance of this and other recently announced cyber-intrusions by state actors and other cybercriminals and are committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators,” FBI spokesman Joshua Campbell said in an e-mail.

Federal authorities and security experts have been tracking the Chinese state-sponsored group they believe is responsible for the breach over a period of several years. This is the first time the group has been linked to the theft of the kind of personal data in which cybercriminals specialize, according to a person familiar with the investigation.

Usually, the Chinese hacker group focuses on typical targets of industrial espionage, specializing in pharmaceutical companies and research related to the development of new drugs. It has occasionally targeted other sectors as well, according the person involved in the investigation, who agreed to speak only on condition of anonymity.

Community Health said it’s notifying patients and will be offering identity theft protection services to them. The company said it doesn’t believe the electronic break-in will affect its business.

Sherry said the hospital chain will have to reassure patients after the hacking incident.

“The bigger financial impact is the soft costs of losing patient trust and confidence in their services, which can be extremely difficult to recover from,” Sherry said.

To contact the reporters on this story: Cynthia Koons in New York at ckoons@bloomberg.net; Michael Riley in Washington at michaelriley@bloomberg.net

To contact the editors responsible for this story: Reg Gale at rgale5@bloomberg.net Drew Armstrong, Andrew Pollack


Video Game Avenger
LIMITED-TIME OFFER SUBSCRIBE NOW

Companies Mentioned

  • FEYE
    (FireEye Inc)
    • $30.29 USD
    • -1.37
    • -4.52%
Market data is delayed at least 15 minutes.
 
blog comments powered by Disqus