Chinese hackers supposedly behind theft of 4.5M patient records

Community Health Systems theft marks the largest civilian patient breach in U.S. history

Chinese hackers were apparently behind the theft of 4.5 million patient records, which included social security numbers, from Community Health Systems, a Franklin, Tenn.-based hospital group, said a filing with the Securities and Exchange Commission.

This marks the largest data breach of civilian patient records in U.S. history, according to data compiled by the Department of Health and Human Services. A Tricare Management Activity data breach, in which an SAIC contractor lost unencrypted backup tapes, exposed patient records on 4.9 million U.S. military personnel in 2011.

A Chinese hacker group was apparently able to inject "highly sophisticated malware" into the hospital group's computer network and siphon off the patient records, according to an investigation conducted by the company and third-party forensic expert Mandiant. The breach took place between April and June of this year but was not discovered until July.

The records included patient names, addresses, birth dates, telephone numbers as well as social security numbers, information that health organizations are required to protect under the Health Insurance Portability and Accountability Act.

"The fact that 4.5M patient records were stolen is alarming," comments Eric Chiu, president and co-founder of cloud security firm HyTrust.

"This type of data is generally stored on servers in the core of a data center that would require 'insider' (employee) access. It would typically be stolen using employee credentials, which can also mean an outside attacker accessing the organization's network. In addition, it's likely that this data was stolen over days or even weeks or months without being detected, which would also indicate that the attack leveraged or came from the inside," Chiu adds.

Community Health Systems says it is notifying affected patents as well as federal and state regulatory agencies. The company carries cyber liability insurance to protect against losses from a data breach.

Commenting on the hospital group's use of cyber liability insurance, Jerome Segura, senior security researcher at Malwarebytes Labs, says:

"Overall, the medical sector is not as well protected against such attacks as other sectors and often times firms will rely on their liability insurance to cover themselves instead of dedicating a budget for cybersecurity. This may work from a business standpoint in a typical risk versus cost scenario but it completely ignores the implications on individuals who may face the pain and worry of identity theft or privacy violations."

For more:
- read the SEC filing
- check out the HHS breach site

Related Articles:
Hospitals hit with largest-ever HIPAA fine over patient data exposed to search engines
You can add poor IT security to the list of the VA's woes
HHS slaps $2M in fines on 2 healthcare firms for unencrypted laptop breaches