(Story updated at 3:05 p.m. ET on Monday, August 18.)
An outside group of hackers targeted Community Health Systems'
computer network and stole 4.5 million individuals' nonmedical patient data, the company disclosed Monday in a regulatory filing.
The Franklin, Tenn.-based chain, which says it has 206 hospitals in 29 states, said a group originating in China
used highly sophisticated malware and technology in the criminal attack. It believes the hackers were searching for intellectual property on medical devices and other equipment, but instead stole data on patients who sought care from its physician practices.
The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under the Health Insurance Portability and Accountability Act
. However, the data did not include financial or medical information, Community said.
CHS reported it is working with Mandiant, an information security company, to investigate the incident and help prevent future attacks. Community already has removed the malware from its network and finalized remediation efforts. Federal law enforcement agents also are investigating the incident, which Community discovered last month and which it believes occurred in April and June.
The chain notified affected patients and is offering them identity theft protection services. Community said it carries cyber and privacy
liability insurance for this purpose.
This year, said Michael “Mac” McMillan, CEO of CynergisTek, there has been a spike in hacking activity directed at hospitals. Such activity hasn't been publicly disclosed because hacks were stopped before data was compromised, he said. CynergisTek is an Austin, Texas,-based security consulting firm,
“I know at least a half a dozen or so hacks against hospitals we work with where the data wasn't transferred, but it still caused a lot of disruption. But it wasn't a HIPAA issue, so it didn't get reported.
Hospitals are “going to become a bigger and bigger target as the hacking community figures out it's easier to hack a hospital than it is to hack a bank and you get the same information,” McMillan said. “I'm not sure healthcare is listening yet.”
The Community Health breach has not yet been posted on the public “wall of shame” website
, kept by the Office for Civil Rights at HHS since 2009 under the mandate of the American Recovery and Reinvestment Act.
Officials at the civil rights office, which has federal enforcement authority for HIPAA violations, were unavailable for comment at deadline.
If the CHS breach makes the list, it will be the second largest of 1,083 breaches and by far the largest attributed to hackers.
The law requires that breaches involving 500 or more individuals be publicly posted. Such larger breaches thus far have exposed the records of nearly 33.8 million individuals. In addition, through March 1 of this year, there have been about 116,000 breaches involving fewer than 500 individuals' records each, according to the OCR.
Hacks leading to breaches are fairly rare but they tend to be more calamitous than the average breach on the OCR's public list.
There are 76 breaches, or 7% of the total reported major breaches on the civil-rights office's list, that have been attributed to a “hacking/IT incident,” but they account for 9% of all records exposed.
The average hacking breach involved 38,718 records, compared with 31,185 records for the average breach overall, with the median hack affecting 2,821 records compared with 2,350 for all breaches.
Heretofore, the dubious distinction of worst hack on the civil-rights office list went to the Utah Department of Technology Services, whose servers carrying more than three quarters of a million records of the beneficiaries of the Utah Medicaid and Children's Health Insurance Program were breached in 2012 by hackers “believed to be operating out of Eastern Europe
The breach cost the state Department of Health $3.4 million
, with other triggered systems improvements pushing the total cost up to $9 million, the Salt Lake Tribune reported.
But the Community Health System attack set a new standard and may be a harbinger of hacks already occurring behind closed doors throughout the healthcare industry, privacy and security experts such as McMillian agree.
“This appears to be a crime of opportunity in which attackers penetrate a system for one type of information, such as IP, but in the process find they also have access to highly marketable PII (personally identifiable information),” said Stephen Cobb of ESET, an IT security firm based in Bratislava, Slovakia, with North American headquarters in San Diego. “The existence of thriving underground markets in all forms of stolen data enables cyber-criminals to efficiently monetize such opportunities.”
“That's the worst hack I've ever heard about,” said Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit advocacy group. “They pulled out exactly what they wanted to pull out. They can create new credit cards with these identities and won't get dinged and they can go commit crimes with those identities,” such as human trafficking, Dixon said.
McMillan said an advanced persistent threat, the threat type cited by Community in its breach, “is a particular malware that never seems to go away.”
“It's out there in the environment,” McMillan said. “It's usually launched by botnets,” Internet-connected networks of computers often used by hackers.
“It's constantly out there. Depending on who released it and whatever its payload might be, it's looking for vulnerable systems. It's advanced in the sense that it can do real damage … it's got multiple capabilities to do harm.”Follow Beth Kutscher on Twitter: @MHbkutscherFollow Joseph Conn on Twitter: @MHJConn