Community Health Systems, a Tennessee-based hospital system, said it is contacting patients whose personal information may have been compromised last year in a data breach apparently originating from China.
CHS said the cyberattacks, which occurred in April and June 2014 but were not disclosed until August, were the work of an “Advanced Persistent Threat” group in China that used “highly sophisticated malware technology” to hack into the computer network of Community Health Systems Professional Services Corporation (CHSPSC, LLC), the corporation’s technology-services arm.
CHSPSC provides information technology services to 206 affiliated hospitals in 29 states. The cyberattack may have exposed as many as 4.5 million patients who were referred to the hospital or received services in CHS-affiliated hospitals over the past five years.
According to CHSPSC, the hackers were “able to bypass the company’s security measures and successfully copy and transfer some data existing on CHSPSC, LLC’s systems.” That data, the company said, consisted of “patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors.”
CHSPSC said that it does not believe any credit card information was stolen, but urged patients to monitor their credit report for suspicious activity and signs of identity theft and other fraud.
According to InformationWeek, sources close to the investigation of the data breach indicate that neglect on the part of CHSPSC may have played a role in the attack. “According to these sources, CHS’s system was hacked through a test server that was never intended to be connected to the Internet at all,” InformationWeek reported. “Because Internet connectivity was not contemplated, the security features that would – and should – be deployed in a live production server were not installed on the test server.”
The CHS data breach came just weeks after the company agreed to pay the U.S. government more than $98 million to resolve lawsuits filed by several whistleblowers who alleged the company cheated Medicare, Medicaid, and other taxpayer-funded healthcare programs through fraudulent billing practices.
Lawyers in our Fraud Section are talking to patients whose data has been compromised in the CHS data breach. If you have received a letter from Community Health Systems, Inc., or CHSPSC, LLC, notifying you that your information may have been breached, or if you were a patient of a CHS-affiliated clinic or physician in the past five years and feel your information may have been compromised, we would like to speak with you.