Chinese Hackers Hit Community Health System - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
04:42 PM
Connect Directly

Chinese Hackers Hit Community Health System

Hackers who broke into network hospital group Community Health Systems stole non-medical customer data including credit cards, says new report.

10 Health Apps That Might Make You Sick
10 Health Apps That Might Make You Sick
(Click image for larger view and slideshow.)

Hackers might have stolen the personal data of approximately 4.5 million people, hospital group Community Health Systems disclosed Monday.

Cyberthieves accessed the general acute-care hospitals operator's network in April or June, said Community Health Systems (CHS) in an SEC report. Data included patient names, addresses, Social Security numbers, birth dates, and telephone numbers, but did not include patient credit or health information, CHS said. The records came from people who were referred to or received treatment from the organization over the past five years, it said.

CHS affiliates "own, operate, or lease 206 hospitals in 29 states, with approximately 31,100 licensed beds," according to its website.  In its most recent financials, released on July 31, the organization reported net operating revenue for the three months that ended June 30 of $4.779 billion, a 49.8% increase over net operating revenue of $3.191 billion for the same period in 2013.

[Internet outages hit one online electronic health records vendor hard last week. Read Practice Fusion EHR Caught In Internet Brown-Out.]

Forensic expert Mandiant (acquired by FireEye in January) and CHS believe the network hacker was an advanced persistent threat group from China that used "highly sophisticated malware and technology" to attack the network. Hackers bypassed CHS's security infrastructure, then used their illegal access to copy and transfer patients' data, the report said.

CHS did not respond to InformationWeek's request for an interview by press time.

After being hired by CHS in June to investigate the intrusion, Mandiant helped CHS implement measures to "increase its ability to inhibit, detect, respond, and contain future advanced attacks." said Charles Carmakal, managing director of Mandiant, via email.

Mandiant notified federal law enforcement officials of the break-in, CHS said. In the past, the suspected hackers have pursued intellectual property, including medical device and equipment development information, although in this breach they stole patient data.

In addition to removing the malware and implementing additional "remediation efforts," CHS is offering identity theft protection services to those potentially affected by the breach. The organization's cyber/privacy/liability insurance protects Community Health Systems from certain losses related to breaches, it said.

"I think the most important takeaway for healthcare CIOs/CEOs is that healthcare has to make similar investments in information security as the banking and financial industry has recently done," CISSP and information security consultant to the Los Angeles County Department of Public Health Sascha Schleumer told InformationWeek. "From the perspective of malicious hackers, why bother going after difficult targets when there are so many in the healthcare sector that have fewer protections. It's the same reason HR departments and tax preparers are being targeted -- less effort and more reward for the criminals."

Healthcare security in general is less secure than retail, BitSight Technology determined earlier this year. As InformationWeek reported in May, healthcare took the longest time to respond to a breach -- taking more than five days to remediate illicit access -- compared with retailers' average four-day response.

The breach notification comes only weeks after Community Health Systems entered a settlement agreement with the US Department of Justice after an investigation into short-stay hospital admissions through emergency departments at some of its affiliated hospitals. The government concluded that 119 hospitals billed various payers for inpatient treatments that should have been billed as outpatient or observation cases. Under the agreement, Community Health Systems and affiliated hospitals agreed to pay more than $88 million but admitted no wrongdoing. It also entered into a five-year corporate integrity agreement (CIA) that's been incorporated into the organization's existing compliance program.

You can hear more about this article on this week’s episode of InformationWeek Radio. We’ll be talking with the author at 2:00 PM EDT on Tuesday, August 26 — we hope you’ll join us! Register here.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Alison Diana is an experienced technology, business and broadband editor and reporter. She has covered topics from artificial intelligence and smart homes to satellites and fiber optic cable, diversity and bullying in the workplace to measuring ROI and customer experience. An ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
8/19/2014 | 9:21:18 AM
Re: More insight
It puzzled me that these hackers reportedly didn't steal either credit data or PHI, but took only other personal info (like SSNs, addresses, and ages). Of course, this information is useful and valuable to cyberthieves but it makes me wonder whether they just happened across CHS, vs. it being a primary target. I'd also love to know more about how the malware was installed, although i suspect (and this is only a guess) it may have entered via social engineering. 
User Rank: Author
8/18/2014 | 5:37:54 PM
The Insurance Angle
I wonder whether the insurance companies that offer cybersecurity coverage can play a bigger role in encouraging healthcare organizations to invest more heavily and appropriately in security? I'm not saying that's the case at CHS, but some organizations spend very few dollars or other resources on securing data, networks, physical devices -- despite all the dire warnings coming from multiple sectors, including those without any monetary gain (but lots to lose). Just as your insurance decreases when you install a home alarm system or take a driver's ed class, you'd think rates for cybersecurity insurance could be cut substantially when organizations take multiple proactive steps to reduce risk. Anyone have more insight into this aspect?
User Rank: Author
8/18/2014 | 5:23:01 PM
Re: More insight
@Alison yes, it really is critical that there not be any weak spots.
User Rank: Author
8/18/2014 | 4:53:05 PM
More insight

Here's another comment I received after filing the story:

Even in large complex organizations, the threat of data breaches is determined by the weakest link, which may be a small organization that is a business partner. With healthcare organizations increasingly adopting electronic medical record systems and automating transaction processes, we may see more frequent and  disruptive breaches in this sector, at a time when healthcare organizations are trying to get patients, physicians and partners to adopt electronic records and processes.


So healthcare CEOs have to recognize that effective information security management is crucial, not just internally but also in processes involving external stakeholders and open networks.


Professor Amit Basu

Carr P. Collins Chair in MIS

Chairman, ITOM Department

Cox School of Business

Southern Methodist University

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll