Community Health Systems Inc., one of the United States’ largest hospital healthcare providers, reported a malware attack and theft of data relating to about 4.5 million individuals.
“The majority of patients of clinics and hospital-based physicians affiliated with CHSPSC [Community Health Systems Professional Services Corporation] were not affected by this breach,” stated Community Health. “Individuals whose information was taken in this cyber-attack will be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services. The data taken includes patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors.
However, to the best of CHSPSC’s knowledge, no credit card information was taken and no medical or clinical information was taken.”
CHS worked with a third-party forensics firm, Mandiant, to assess the scope of the breach and said it believes the attack originated from China and incorporated “highly sophisticated malware and technology” that allowed hackers to bypass the company’s security system.
“Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack,” said CHS.
The affected individuals included anyone who has been referred to or received services from CHS-affiliated physicians. CHS noted that while not financial information, the lost data is considered protected by the Health Insurance Portability and Accountability Act (HIPAA). CHS noted that it has cyber/privacy liability insurance coverage to guard against the associated “remediation expenses, regulatory inquiries, litigation and other liabilities.”
Actions have already been taken to protect against future attacks, CHS assured the public, including extra audit and surveillance technology, advanced encryption, and changing user passwords.
The attack on CHS follows another recent breach aimed at USIS, the largest private supplier of background investigation information to the US government, which the firm also cited as a “state-sponsored attack.”
USIS reported the intrusion to federal law enforcement and other pertinent agencies, as well as commented on the “epidemic” nature of cyber attacks.
“Cybercrime and attacks of this nature have become an epidemic that impacts businesses, government agencies, and financial and educational institutions alike. The protection and safeguarding of our networks, our data and the data of our customers is always of the utmost importance, and we have invested heavily in security measures,” said USIS in a statement.
“Our systems and people identified this attack, and, in response, we are working alongside OPM, the Department of Homeland Security (DHS) and federal law enforcement authorities in redoubling our cyber security efforts. We are working collaboratively with OPM and DHS to resolve this matter quickly and look forward to resuming service on all our contracts with them as soon as possible. We will support the authorities in the investigation and any prosecution of those determined to be responsible for this criminal attack.”