Patients personal information stolen from China-originated attack

Kosciusko Community Hospital, a Community Health Systems Inc. hospital, is among those victimized by a cyber attack that stole patient names, addresses, Social Security numbers and birth dates of 4.5 million patients.

Community Health Systems Inc. filed a regulatory statement today detailing the attack noting it believes the attack originated in China. “… the attacker was an ‘Advanced Persistent Threat’ group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company,” said the report.

The attack on Community Health Systems, one of the biggest U.S. hospital groups, happened in April and June and affected patients who both sought services or were referred from doctors affiliated with the hospital group in the last 5 years. 

The regulatory filing noted Community Health Systems investigators say the Chinese group believed to be behind the attack typically seeks valuable intellectual property, such as medical device and equipment development data, rather than the personal information stolen from the hospital group.

The company’s filing further noted the stolen data does not include credit card numbers, medical or clinical information, though the types of personal information stolen were still covered by the U.S. government’s Health Insurance Portability and Accountability Act, or HIPAA.

Joy Lohse, marketing and public relations director for Kosciusko Community Hospital said in a statement, “Limited personal identification data belonging to some patients who were seen at Kosciusko Medical Group clinics over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and Social Security numbers.

“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause for our patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.

“Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property,” continued Lohse in the statement. “The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.

“Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.”

Community Health Systems has 206 hospitals in 29 states and “carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature,” noted the filing. “While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.”