Dive Brief:
- Franklin, TN-based Community Health Systems announced Monday that it was the victim of a massive theft of the personal data of 4.5 million people. The hack likely occurred in April or June and included patient names, addresses, social security numbers and other HIPAA-protected data. Impacted individuals were referred to or received services from doctors affiliated with the provider in the past five years.
- CHS' security contractor, FireEye Inc unit Mandiant, said it believes that the hack originated in China. According to the company, the federal government says that these kinds of attacks are usually geared toward the theft of intellectual property, like medical device and equipment development information.
- The hospital is implementing remediation procedures, including notifying patients and regulatory agencies.
Dive Insight:
CHS is one of the largest hospital operators in the country, managing 206 hospitals in 29 states. This is a high-profile breach, and it comes directly in the wake of the FBI's warning to the healthcare industry that it needs to shape up its data security efforts, warning providers that their security is insufficient to meet the risk of cyberattacks.
Security experts say that the hack likely started as an attempt to glean information from U.S. pharmaceutical and biotech companies before morphing into a patient data breach. “This appears to be a crime of opportunity in which attackers penetrate a system for one type of information, such as IP, but in the process find they also have access to highly marketable PII (personally identifiable information),” said Stephen Cobb of ESET, an IT security firm with North American headquarters in San Diego, in an interview with Modern Healthcare. “The existence of thriving underground markets in all forms of stolen data enables cyber-criminals to efficiently monetize such opportunities.”