Chinese hackers stole Social Security numbers, names and addresses from 4.5 million patients of Community Health Systems Inc., the second-biggest for-profit U.S. hospital chain, according to the company.
The attacks occurred in April and June, the Franklin, Tennessee-based company said Monday in a U.S. regulatory filing. The hacker group originated from China and bypassed the company’s security system, making off with nonmedical information from people who visited doctors’ offices associated with the company.
“Unfortunately, we have joined numerous American companies and institutions who have been victimized by highly sophisticated, criminal cyber-attacks originating out of China,” Tomi Galin, a spokeswoman for Community Health, said in an email. “Importantly, no patient medical or financial information was transferred as a result of this intrusion.”
Community Health is among several companies that have reported similar breaches. SuperValu Inc., a U.S. supermarket chain, said Aug. 15 that it incurred an attack that exposed customers’ credit- and debit-card information. The retailer Target Corp. was breached last year by Eastern European hackers who stole credit card numbers and other personal data from at least 70 million customers in one of the biggest retail hacking incidents in U.S. history.
The Chinese embassy in Washington, D.C., said it wasn’t aware of the attack. “Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an email. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”
The company could have done a better job safeguarding the data, said one electronic security expert. “There is no indication that this data was encrypted, which creates further challenges for the organization and the patients impacted,” JD Sherry, vice president for network security company Trend Micro Inc., said in an email.
Community Health said it hired electronic forensics specialist Mandiant Corp., a subsidiary of FireEye Inc., to investigate the incident and suggest security improvements. The hospital operator also working with the U.S. Federal Bureau of Investigation.
“We understand the significance of this and other recently announced cyber-intrusions by state actors and other cybercriminals and are committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators,” FBI spokesman Joshua Campbell said in an email.
Federal authorities and security experts have been tracking the Chinese state-sponsored group they believe is responsible for the breach over a period of several years. This is the first time the group has been linked to the theft of the kind of personal data in which cybercriminals specialize, according to a person familiar with the investigation.
Usually, the Chinese hacker group focuses on typical targets of industrial espionage, specializing in pharmaceutical companies and research related to the development of new drugs. It has occasionally targeted other sectors as well, according the person involved in the investigation, who agreed to speak only on condition of anonymity.
Community Health said it’s notifying patients and will be offering identity theft protection services to them. The company said it doesn’t believe the electronic break-in will affect its business.
Sherry said the hospital chain will have to reassure patients after the hacking incident.
“The bigger financial impact is the soft costs of losing patient trust and confidence in their services, which can be extremely difficult to recover from,” Sherry said.