Large U.S. Hospital Group Claims 4.5 Million Patients' Personal Data Stolen in Chinese Cyber Attack

Large U.S. Hospital Group Claims 4.5 Million Patients' Personal Data Stolen in Chinese Cyber Attack

One of the largest U.S. hospital groups claims it was a victim of a cyber attack that originated in China and led to the theft of personal information of 4.5 million U.S. patients in April and June.

According to Reuters, Community Health Systems, Inc., a Fortune 500 company based in Franklin, Tennessee, said in a regulatory filing Monday that the stolen information included names, addresses, birth dates, telephone numbers, and Social Security numbers of patients who had been referred for or received services from doctors affiliated with the hospital group within the last five years.

The company’s filing said patients’ credit card numbers and medical information were not stolen, though the hackers did steal types of personal data still covered by the U.S. government’s Health Insurance Portability and Accountability Act (HIPAA).

Community Health Systems (CHS) spokeswoman Tomi Galin said her company’s belief that the attack originated from China is based on information from federal law enforcement and forensic experts with FireEye Inc unit Mandiant that “the methods and techniques” used by the hackers were consistent with a particular group of hackers who operate in China.

In its regulatory filing, CHS said filing investigators observed that the unnamed Chinese group believed to be behind the cyber attack typically searches for valuable intellectual property–such as medical device and equipment development data–rather than the personal information that was stolen from CHS.

As Reuters notes, in May, a U.S. grand jury indicted five Chinese military officers on charges that they hacked into U.S. companies for valuable manufacturing secrets. The Chinese government, however, denied the charges.

CHS, which has 206 hospitals in 29 states and is considered to be the largest nonurban provider of healthcare services in the United States in terms of its number of acute care facilities, states it has removed the malware from its systems and is now notifying patients and regulatory agencies as it is required to do so by law.

The company’s website was unable to be accessed at the time of publication.