Tennessee-based Community Health Systems, which runs 206 affiliated hospitals in 29 U.S. states, yesterday stated in an SEC filing that its computer network "was the target of an external, criminal cyber attack" that took place in April and June of 2014.
While security company Mandiant believes the attack was launched by a group based in China, a Department of Homeland Security official told Reuters it's too early to state with confidence who was behind the attack. "While attribution of this incident is still being determined by a range of partners, we caution against leaping to premature conclusions about who or how many actors are behind these activities," the official said.
"The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data," the filing states. "However, in this instance the data transferred was non-medical patient identification data related to the Company's physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company."
Eric Chiu, president and co-founder of HyTrust, said by email that the sheer volume of patient data stolen is alarming. "This type of data is generally stored on servers in the core of a data center that would require 'insider' (employee) access," he said. "It would typically be stolen using employee credentials, which can also mean an outside attacker accessing the organization's network."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
While the stolen data included patient names, addresses, birthdates, phone numbers and Social Security numbers, it did not include financial or medical information. Community Health says it will offer identity protection services to all those affected.
Lamar Bailey, director of security research at Tripwire, said by email that the fact that financial information wasn't exposed shouldn't provide much comfort to those affected. "From a consumer's standpoint this is the worst possible kind of breach," he said. "When financial data such as credit card numbers are stolen, retailers and card issuers ultimately bear the costs. When personal information is stolen, especially healthcare data because it typically includes name, address, phone number, birth dates, and social security number, it impacts consumers directly."
Bailey said all those affected by the breach should immediately place a security freeze on their credit files to prevent new accounts from being opened without their consent. "This data can be used on the black market to create new identities for criminals and terrorists," he said. "Stolen data can also be used to open new, fraudulent credit accounts. Recovering from this kind of identity theft is difficult and can be extremely time consuming."
In the SEC filing, Community Health noted that it carries cyber/privacy liability insurance to protect it against losses related to breaches like this. "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results," it stated.
Jerome Segura, senior security researcher at Malwarebytes Labs, said by email that the medical sector in general is not as well protected from such attacks as other sectors are, and often relies on liability insurance following an attack instead of investing in cyber security in anticipation of one. "This may work from a business standpoint in a typical risk versus cost scenario but it completely ignores the implications on individuals who may face the pain and worry of identity theft or privacy violations," he said.
Reuters reports that the breach is the largest of its kind involving patient information since the U.S. Department of Health and Human Services began tracking such breaches in 2009. It exceeds a June 2014 breach at the Montana Department of Public Health that affected approximately 1 million people.
According to a report published by Redspin in February 2014, almost 30 million Americans' protected health information (PHI) has been breached or inadvertently disclosed since 2009. More than 7 million patient records were exposed in 2013 alone.