Tennessee-based hospital network hacked, 4.5 million records stolen

map

BRENTWOOD, Tenn. — Community Health Systems, which operates 206 hospitals across the United States, announced Monday that China based hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

The company’s hospitals operate in 28 states but have their most significant presence in Tennessee, Mississippi, Alabama, Florida, Oklahoma, Pennsylvania, and Texas.

CHS hospitals in the MidSouth include Helena Regional, Dyersburg Regional and Regional Hospital of Jackson according to WREG Chief Consumer Investigator Zaneta Lowe.

Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.

The large data breach puts these people at heightened risk of identity fraud.

That allows criminals open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.

Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack.

They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.

The FBI said it’s working closely with the hospital network and “committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.”

Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.

But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients’ medical histories, clinical operations or credit cards.

Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.

As for exposed victims protecting themselves? There’s little they can do. They won’t be truly protected from fraud until numerous government agencies, credit bureaus, banks, data brokers and others update their systems.

Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients “as required by federal and state law,” which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.

Shares of the publicly-traded Community Health Systems edged lower Monday morning.

But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it “carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature.”

The hospital network said that just before Monday’s announcement, it managed to wipe the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins.

The company plans to offer identity theft protection to the 4.5 million victims of the data breach.

CNN’s Evan Perez contributed to this report.

5 comments

  • Alkebu

    Credit card companies get hacked daily and no one raises an eye brow…. The Internet as a whole needs a tremendous security upgrade, shame the ISP’s don’t see it that way. So, really no surprise here.

  • Leroy brown

    So good to see no one is mentioning race or politics for once. Nothing is completely safe and secure anymore. As far as paper and pencils, you could always have dishonest employees willing to steal and sell that info, it has happened before.

  • J. Creechan

    The situation is much more insidious than this story reports. The personal information has already been used to contact elderly patients for the purpose of phone fraud and extortion. The personal information allows a hacker to call an elderly patient and use personal knowledge to gain the trust of the patient. For instance, patients may receive a call from a “long-lost relative” offering to help as long as costs for travel are paid in advance. The hospitals do not feel they are responsible for such actions, and many of their former patients have been defrauded of money by this type of “ruse”. The security breach leaves older and vulnerable patients open to these acts of extortion. Any patient in any one of these hospitals should exercise great care and caution to make certain that people who call them are really who they claim to be.

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 11,066 other followers