Community Health Systems Inc, one of the biggest hospital groups in the United States with 206 hospitals in 29 states, reported the theft of personal data belonging to 4.5 million of its patients. This data included Social Security numbers, patient names, addresses, birth dates, and telephone numbers. It did not include medical or clinical information, credit card numbers, or intellectual property (such as data on medical device development). Community Health said that it has combed its systems and removed all the malicious software used by the attackers, and is now notifying patients and regulatory agencies, as required by law.
Security experts said that the hacking group, known as “APT 18″ might have links to the Chinese government. “APT 18″ has targeted other companies in the healthcare industry, as well as those in aerospace and defense, financial services, and construction and engineering. ”They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected,” said Charles Carmakal, managing director with FireEye Inc’s (FEYE.O) Mandiant forensics unit, which led the investigation of the attack on Community Health. Mandiant reported seeing a rise in cyber attacks on healthcare providers in the last 6 months, but this was the first case it had seen in which a sophisticated Chinese group has stolen personal data.
Cybersecurity has come under increasing scrutiny at healthcare providers this year, with more and more information being stored online. In April, the FBI warned the healthcare industry that its online data protections were lax compared with other sectors. FBI spokesman Joshua Campbell said his agency was investigating the Community Health case but did not give any further details, and the Department of Homeland Security said that the incident is believed to have been isolated.