Community Health Systems Cyber Attack Puts 4.5M Patients at Risk

Community Health Systems (CHS) has announced that it’s computer network has been infiltrated by hackers who have stolen the protected health information of 4.5 million of its patients. The data accessed includes identifying information such as names, Social Security numbers and contact telephone numbers. The data affects patients who were referred for treatment to doctors affiliated with the hospital in addition to those who were treated by CHS over the previous five years. CHS operates 206 hospitals across the United States with medical facilities in 29 states.

CHS made a filing with the Securities and Exchange Commission on August 18, 2014 describing the targeted attack as being of a “highly sophisticated” nature and believed hackers accessed PHI on two occasions in April and June of this year; however the intrusion was not detected until July. CHS has now determined that the attack originated in China with a group of hackers gaining access to the CHS network.

Theft of data is a serious crime and CHS is working with law enforcement agencies in an attempt to identify and apprehend those responsible for the security breach. While data was accessed and stolen, CHS believes that medical histories and treatment data were not exposed in the attack.

Data breaches are covered under the Health Insurance Portability and Accountability Act (“HIPAA”) which stipulates that organizations who have experienced a data breach must notify all parties affected by the breach and information must be provided on the data which has been accessed to allow the victims to take steps to protect their identities and mitigate any losses caused.

While confidential medical records were not taken, the information accessed is of high value to cybercriminals. Hackers are not just interested in credit card details nowadays. Insurance premium numbers can be used to make false claims, personal information used to create false identities and social security numbers can also be used for criminal activities. With the information taken thieves would be able to obtain medical prescriptions and drugs which can be sold on the black market and commit credit fraud, with the victims often not realizing until tens of thousands of dollars in debts have been accumulated.

While financial institutions have implemented stringent cybersecurity measures to protect clients’ data, the healthcare industry has been slow to respond and implement appropriate measures to protect the identities of their patients. The threat of attack prompted the FBI to issue warnings to healthcare organizations in February of this year to alert them to the elevated risk of attack. It believed the data security systems in place were substandard and insufficient, making it too easy for hackers to access the protected health information of patients.

Attacks may be of a highly sophisticated nature but it is essential that healthcare organizations implement robust multi-layered security systems and data encryption to ensure that patient data cannot be accessed by unauthorized third parties, hackers and cybercriminals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.