Community Health Systems, a Tennessee-based hospital system, said it is contacting patients whose personal information may have been compromised last year in a data breach apparently originating from China.

CHS said the cyberattacks, which occurred in April and June 2014 but were not disclosed until August, were the work of an “Advanced Persistent Threat” group in China that used “highly sophisticated malware technology” to hack into the computer network of Community Health Systems Professional Services Corporation (CHSPSC, LLC), the corporation’s technology-services arm.

CHSPSC provides information technology services to 206 affiliated hospitals in 29 states. The cyberattack may have exposed as many as 4.5 million patients who were referred to the hospital or received services in CHS-affiliated hospitals over the past five years.

According to CHSPSC, the hackers were “able to bypass the company’s security measures and successfully copy and transfer some data existing on CHSPSC, LLC’s systems.” That data, the company said, consisted of “patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors.”

CHSPSC said that it does not believe any credit card information was stolen, but urged patients to monitor their credit report for suspicious activity and signs of identity theft and other fraud.

According to InformationWeek, sources close to the investigation of the data breach indicate that neglect on the part of CHSPSC may have played a role in the attack. “According to these sources, CHS’s system was hacked through a test server that was never intended to be connected to the Internet at all,” InformationWeek reported. “Because Internet connectivity was not contemplated, the security features that would – and should – be deployed in a live production server were not installed on the test server.”

The CHS data breach came just weeks after the company agreed to pay the U.S. government more than $98 million to resolve lawsuits filed by several whistleblowers who alleged the company cheated Medicare, Medicaid, and other taxpayer-funded healthcare programs through fraudulent billing practices.

Lawyers in our Fraud Section are talking to patients whose data has been compromised in the CHS data breach. If you have received a letter from Community Health Systems, Inc., or CHSPSC, LLC, notifying you that your information may have been breached, or if you were a patient of a CHS-affiliated clinic or physician in the past five years and feel your information may have been compromised, we would like to speak with you.

For more information, contact Dee Miles, Principal & Consumer Fraud Section Head, or attorneys Andrew Brashier, Archie Grubb or Larry Golston.

Community Health Systems
U.S. Department of Justice

We're here to help!

We live by our creed of “helping those who need it most” and have helped thousands of clients get the justice they desperately needed and deserved. If you feel you have a case or just have questions please contact us for a free consultation. There is no risk and no fees unless we win for you.

Fields marked * may be required for submission.

The extra mile

I can't thank Beasley Allen enough for their excellent and hard work. At every point, they went the extra mile.