Community Health System Reports Breach of 4.5M Patients’ Data
August 18, 2014 in News
On Monday, Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients, Modern Healthcare reports.
CHS discovered the breach last month and believes the cyberattack occurred in April and June (Kutscher, Modern Healthcare, 8/18).
The incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported, according to data from the Office for Civil Rights.
Details of CHS Breach
Tennessee-based Community Health Systems operates 206 hospitals across 29 states.
In an Aug. 18 security filing, CHS officials said they believe the hacking group responsible for the breach is located in China and “used highly sophisticated malware and technology.”
The hackers accessed the following data from affected patients:
- Dates of births;
- Patient names;
- Social Security numbers; and
- Telephone numbers (McCann, Healthcare IT News, 8/18).
Hackers were able to circumvent CHS’ security measures and copy and transfer data outside the organization, FierceHealthIT reports (Dvorak, FierceHealthIT, 8/18).
According to Modern Healthcare, CHS is working with data security firm Mandiant to further investigate the breach and help prevent future attacks. In addition, CHS has notified affected patients and offered them identity theft protection services (Modern Healthcare, 8/18).
Details of N.C. Data Breach
In related news, the account information of 570 patients in North Carolina is at risk after a medical company’s subcontractor for four months failed to properly secure a computer server, Clinical Innovation Technology reports.
Georgia-based 24 ON Physicians said one of its business associates exposed patient data, including:
- Balances due;
- Billing-related status comments;
- Charge amounts;
- Invoice numbers; and
- Policy numbers.
However, a news release noted that Social Security numbers, bank account information and medical records were not compromised (Pedulli, Clinical Innovation Technology, 8/13).