Community Health Systems Inc., a Franklin, Tenn.-based Fortune 500 company that operates a total of 206 hospitals in 29 states, has divulged that it was the victim of a data breach that exposed the personal data of 4.5 million patients, with the company blaming the incident on a Chinese hacking group.
According to Community Health's 8-K filing with the U.S. Securities and Exchange Commission, the company, with outside help from the forensics firm Mandiant, a FireEye company, believed that criminals targeted its network in April and June. Community Health also explained that Mandiant investigated the incident and is helping with remediation efforts, including cleaning malware from its systems and putting in protections to prevent similar incidents in the future.
The filing stated that attackers were able to bypass the company's security measures to exfiltrate Health Insurance Portability and Accountability Act (HIPAA)-protected patient data from the last five years, including names, birthdates, contact details and Social Security numbers, though Community Health said that medical information and payment card data was not among the haul. Mandiant and federal authorities also linked the data breach perpetrators to other incidents that involved the theft of intellectual property, according to the filing.
In an interview with Reuters, Charles Carmakal, managing director with Mandiant, pinpointed "APT 18" -- a Chinese hacking group that has targeted enterprises in the aerospace, defense, engineering, financials services and healthcare industry in the past. Carmakal hinted that the group may have links to the Chinese government, but more intriguingly, this incident marks the first time that Mandiant has seen a Chinese group target personal data rather than intellectual property.
"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," Carmakal told Reuters.
As it stands, the Community Health incident would be the second largest healthcare data breach since the enactment of the HIPAA data breach notification rule in 2009. A 2011 incident involving the military health program TriCare, when backup tapes were stolen from the car of one of its contractor's employees, remains the largest with data from 4.9 million patients compromised.
Still, the consequences of the breach for Community Health remain murky. In May, two New York-based hospitals agreed to pay a $4.8 million settlement for a HIPAA violation, the largest fine ever, when they exposed the electronic protected health information of just 6,800 patients, though that case was the result of mishandling the data rather than malicious intent on the part of outside actors.
In its filing, Community Health seemed confident that regardless of any penalties incurred, the company's purchase of cyber liability insurance would deter the effects.
"[Community Health Systems] carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature," said the company in its filing. "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, [Community Health Systems] does not believe this incident will have a material adverse effect on its business or financial results."
Worried that your organization may fall victim to a data breach and HIPAA fines? Resident compliance expert Mike Chapple explains whether Google's HIPAA-compliant cloud may be right for you.