Hospital Network Hacked, 4.5 Million Patient Records Stolen

Posted: Aug 19, 2014 8:05 AM
Hospital Network Hacked, 4.5 Million Patient Records Stolen

Any online record of a person’s name, date of birth, Social Security number, and address automatically becomes a prime target for hackers, and a hospital system is no exception.

One of the largest U.S. hospital groups, Community Health Systems Inc, revealed on Monday that it was a victim of a major cyber attack from China. The personal data and Social Security numbers of 4.5 million patients was stolen, making it the largest breach of its kind since HHS began tracking breaches in 2009, Reuters reports.

Security experts said the hacking group, known as "APT 18," may have links to the Chinese government.

"APT 18" typically targets companies in the aerospace and defense, construction and engineering, technology, financial services and healthcare industry, said Charles Carmakal, managing director with FireEye Inc's (FEYE.O) Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June.

"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," he said.

The information stolen from Community Health included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing.

The stolen data did not include medical or clinical information, credit card numbers, or any intellectual property such as data on medical device development, said Community Health, which has 206 hospitals in 29 states.

In April, the FBI warned the health care industry that their cyber protections lagged behind other sectors, making it particularly vulnerable to attacks. As of 2013, there were 804 large-scale breaches of protected health information reported to HHS since 2009, affecting nearly 30 million patient records, reports Redspin, a leading IT security assessment company.