Hospitals Say Hackers Stole Records of 4.5 Million Patients

One of the nation’s largest hospital operators said Monday that hackers from China stole personal information belonging to 4.5 million patients. While the data was pilfered between April and June of this year from Community Health System Inc., anyone who was a patient at an affiliated hospital during the past five years might be a victim, the company said.

Community Health Systems operates 206 hospitals in 29 states. In a filing with the Securities and Exchange Commission, the firm said the computer criminals did not steal “medical or clinical information,” but they did obtain Social Security numbers, names, addresses, birth dates and telephone numbers.

Those are the basic ingredients needed to commit so-called “new account” fraud, often the most troublesome for consumers, and most lucrative for criminals.

The announcement comes after the FBI warned healthcare providers back in April that their security systems were “not as resilient to cyber intrusions compared to the financial and retail sectors,” Reuters reported at the time.

Community Health hired security firm Mandiant to conduct the forensic investigation after it learned of the crime. Mandiant, since acquired by security firm FireEye, made a name for itself last year when it published a blockbuster report identifying “APT1,” an organized ring of Chinese hackers devoted to espionage that Mandiant said was linked to the Chinese Army.

Get everything you need to master your credit today.

Get started for free

It is not clear whether Mandiant blames this hack on APT1, but Community Health said in its filing that its attackers are known for committing espionage.

“This intruder has typically sought valuable intellectual property, such as medical device and equipment development data,” the firm said. “However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. ”

Hackers used “highly sophisticated malware and technology” to deploy an advanced persistent threat, the firm said. As opposed to a hit-and-run attack, APTs, as the security community calls them, refer to a hacker strategy involving tools that are used to infiltrate computer networks, then remain hidden for weeks, months or even years, slowly siphoning off data or intelligence.

While medical information was not stolen, the personal information pilfered is considered protected under the Health Insurance Portability and Accountability Act (HIPAA). The hospital chain said it will notify impacted consumers.

If this particular breach or any recent-high profile data leak affected you — and as more and more consumer data gets stolen in data breaches, it’s likely you’ll be affected at some point – it’s important to make a habit of checking your credit. When hackers steal data that can be used to open new accounts (like SSNs and birth dates), you need to be especially vigilant about checking for fraudulent accounts on your credit reports. Fraudulent accounts, left undiscovered by you, can destroy your credit.

If you monitor your credit scores regularly (which you can do for free through Credit.com) and notice a big, unexplained change in your scores, that could be a sign of new account fraud – and is a good indicator that it’s time to check your reports. If you do discover fraudulent accounts on your credit report, contact the creditor as well as the credit reporting agency that issued your report, to notify them of fraud.