Hackers might have stolen the personal data of approximately 4.5 million people, hospital group Community Health Systems disclosed Monday.
Cyberthieves accessed the general acute-care hospitals operator's network in April or June, said Community Health Systems (CHS) in an SEC report. Data included patient names, addresses, Social Security numbers, birth dates, and telephone numbers, but did not include patient credit or health information, CHS said. The records came from people who were referred to or received treatment from the organization over the past five years, it said.
CHS affiliates "own, operate, or lease 206 hospitals in 29 states, with approximately 31,100 licensed beds," according to its website. In its most recent financials, released on July 31, the organization reported net operating revenue for the three months that ended June 30 of $4.779 billion, a 49.8% increase over net operating revenue of $3.191 billion for the same period in 2013.
[Internet outages hit one online electronic health records vendor hard last week. Read Practice Fusion EHR Caught In Internet Brown-Out.]
Forensic expert Mandiant (acquired by FireEye in January) and CHS believe the network hacker was an advanced persistent threat group from China that used "highly sophisticated malware and technology" to attack the network. Hackers bypassed CHS's security infrastructure, then used their illegal access to copy and transfer patients' data, the report said.
CHS did not respond to InformationWeek's request for an interview by press time.
After being hired by CHS in June to investigate the intrusion, Mandiant helped CHS implement measures to "increase its ability to inhibit, detect, respond, and contain future advanced attacks." said Charles Carmakal, managing director of Mandiant, via email.
Mandiant notified federal law enforcement officials of the break-in, CHS said. In the past, the suspected hackers have pursued intellectual property, including medical device and equipment development information, although in this breach they stole patient data.
In addition to removing the malware and implementing additional "remediation efforts," CHS is offering identity theft protection services to those potentially affected by the breach. The organization's cyber/privacy/liability insurance protects Community Health Systems from certain losses related to breaches, it said.
"I think the most important takeaway for healthcare CIOs/CEOs is that healthcare has to make similar investments in information security as the banking and financial industry has recently done," CISSP and information security consultant to the Los Angeles County Department of Public Health Sascha Schleumer told InformationWeek. "From the perspective of malicious hackers, why bother going after difficult targets when there are so many in the healthcare sector that have fewer protections. It's the same reason HR departments and tax preparers are being targeted -- less effort and more reward for the criminals."
Healthcare security in general is less secure than retail, BitSight Technology determined earlier this year. As InformationWeek reported in May, healthcare took the longest time to respond to a breach -- taking more than five days to remediate illicit access -- compared with retailers' average four-day response.
The breach notification comes only weeks after Community Health Systems entered a settlement agreement with the US Department of Justice after an investigation into short-stay hospital admissions through emergency departments at some of its affiliated hospitals. The government concluded that 119 hospitals billed various payers for inpatient treatments that should have been billed as outpatient or observation cases. Under the agreement, Community Health Systems and affiliated hospitals agreed to pay more than $88 million but admitted no wrongdoing. It also entered into a five-year corporate integrity agreement (CIA) that's been incorporated into the organization's existing compliance program.
You can hear more about this article on this week’s episode of InformationWeek Radio. We’ll be talking with the author at 2:00 PM EDT on Tuesday, August 26 — we hope you’ll join us! Register here.
You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).