By bypassing Community Health Systems’ security system, a known ring of Chinese hackers stole the Social Security numbers, names, birthdates, and addresses of more than 4.6 million patients who were referred for or received services in the last five years from doctors affiliated with health system. At this time it appears patient credit card, medical or clinical information was not affected.
The company just made the information public on August 18 in a mandatory U.S. regulatory filing to Health and Human Services. The bureau said this is the largest hacking attack since it first starting tracking breaches in 2009. The attacks apparently occurred between April and June according to forensic investigator, Fire Eye Inc.’s Mandiant unit. Trend Micro, a leader in data protection, has commented that there was “no indication that this data was encrypted.” Tennessee-based Community Health is one of the largest hospital groups in the U.S., operating 206 hospitals in 29 states including California.
The company is notifying patients and regulatory agencies as required by federal and state law, it said in Monday’s filing. It said it will also offer identity theft protection services for individuals affected by the breach.
“Unfortunately, we have joined numerous American companies and institutions who have been victimized by highly sophisticated, criminal cyber-attacks originating out of China,” Tomi Galin, a spokeswoman for Community Health, said in an e-mail to media. “Importantly, no patient medical or financial information was transferred as a result of this intrusion.”
“This company just doesn’t seem to get it,” Jay Foley said in an exclusive interview. Foley has been a recognized identity theft expert since 1999 and was one of the first to speak up for victims of identity theft. “This company displays either ignorance or callous disregard of the people whose information was stolen with its remarks. First the theft of Social Security numbers puts people at far greater risk than credit card information.
“While Community Health’s systems were hacked it apparently didn’t even bother to encrypt the data. Saying that it is insured against this type of privacy breach and will not suffer financial losses due to the breach just adds insult to injury. The 4.6 million people whose information was taken will need to worry about possible identity theft for the rest of their lives. The ‘gallant’ offer of an identity theft protection plan for those affected is nothing more than a placebo pill. Unfortunately these plans are not bullet-proof and there is no absolute protection against identity theft.”
Data stolen from healthcare providers has been a serious problem. Numerous companies that track data breaches have shown that the medical sector has been lax compared to other entities. Additionally medical information is highly desired on the black market since the range of crimes runs from obtaining credit, a job and welfare to getting prescriptions and abusing health insurance plans.
More on August 21.