News Stay informed about the latest enterprise technology news and product updates.

Healthcare data breach exposes personal data of 4.5 million patients

The Community Health data breach exposed the personal data of 4.5 million patients of the healthcare entity, opening up potential regulatory issues.

Community Health Systems Inc., a Franklin, Tenn.-based Fortune 500 company that operates a total of 206 hospitals in 29 states, has divulged that it was the victim of a data breach that exposed the personal data of 4.5 million patients, with the company blaming the incident on a Chinese hacking group.

According to Community Health's 8-K filing with the U.S. Securities and Exchange Commission, the company, with outside help from the forensics firm Mandiant, a FireEye company, believed that criminals targeted its network in April and June. Community Health also explained that Mandiant investigated the incident and is helping with remediation efforts, including cleaning malware from its systems and putting in protections to prevent similar incidents in the future.

The filing stated that attackers were able to bypass the company's security measures to exfiltrate Health Insurance Portability and Accountability Act (HIPAA)-protected patient data from the last five years, including names, birthdates, contact details and Social Security numbers, though Community Health said that medical information and payment card data was not among the haul. Mandiant and federal authorities also linked the data breach perpetrators to other incidents that involved the theft of intellectual property, according to the filing.

In an interview with Reuters, Charles Carmakal, managing director with Mandiant, pinpointed "APT 18" -- a Chinese hacking group that has targeted enterprises in the aerospace, defense, engineering, financials services and healthcare industry in the past. Carmakal hinted that the group may have links to the Chinese government, but more intriguingly, this incident marks the first time that Mandiant has seen a Chinese group target personal data rather than intellectual property.

"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," Carmakal told Reuters.

As it stands, the Community Health incident would be the second largest healthcare data breach since the enactment of the HIPAA data breach notification rule in 2009. A 2011 incident involving the military health program TriCare, when backup tapes were stolen from the car of one of its contractor's employees, remains the largest with data from 4.9 million patients compromised.

Still, the consequences of the breach for Community Health remain murky. In May, two New York-based hospitals agreed to pay a $4.8 million settlement for a HIPAA violation, the largest fine ever, when they exposed the electronic protected health information of just 6,800 patients, though that case was the result of mishandling the data rather than malicious intent on the part of outside actors.

In its filing, Community Health seemed confident that regardless of any penalties incurred, the company's purchase of cyber liability insurance would deter the effects.

"[Community Health Systems] carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature," said the company in its filing. "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, [Community Health Systems] does not believe this incident will have a material adverse effect on its business or financial results."

Next Steps

Worried that your organization may fall victim to a data breach and HIPAA fines? Resident compliance expert Mike Chapple explains whether Google's HIPAA-compliant cloud may be right for you.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

OK. This is the latest out. And it will be until someone decides to look deeper into breaches and comprehensively determine who did it. It's convenient to just shout "The Chinese Did It", but I fear that lots of folks are going in that direction even when threats and breaches are internal or from corporate competitors.
It's seems like we are always looking to blame someone else. It may be from an outside source but it would be so easy for internal theft it's almost scary. The disgruntled worker, who has access, may be looking to profit from the lack of internal security. This is a tough problem to fix with the influx of such small portable drives and mobile devices that are still allowed in the office.
Just went to my doc the other day. I was handed a card with info on how to access my records on the cloud, make appointments and order rx refills. I do not feel comfortable with my personal health info on the cloud. I have no choice either because this doctor/hospital is tied to my health insurance plan. Guess I have to cross my fingers and hope my data is safe.
I recently received a letter from a healthcare provider saying that my data could have potentially been compromised. As it says in the article, my letter said that the breach didn't include payment information, so I'm not terribly worried. If Chinese hackers want my medical history, they're welcome to it.

Between Target, Anthem, and now this, I guess at least I'm going to get enough free credit monitoring services to last a lifetime!