Chinese cyberattack steals 4.5 million patients' data from hospital records

Tennessee-based Community Health Systems, which runs 206 hospitals in 29 states, says no medical information was exposed, however.

The New York Times: Hack Of Community Health Systems Affects 4.5 Million Patients
Community Health Systems, a publicly traded hospital operator based in Franklin, Tenn., said that personal data, including names, Social Security numbers and addresses, for 4.5 million patients had been compromised in a Chinese cyberattack on its systems from April to June (Perlroth, 8/18).

Los Angeles Times: Hackers Stole 4.5 Million Patients' Data In Hospital Breach
A cyberattack suspected to have originated in China stole Social Security numbers and other personal data for 4.5 million patients whose records were in Community Health Services Inc.'s system, the company said Monday. The data breach included the names, addresses, birth dates, telephone numbers and Social Security numbers of patients who were referred for or received services from doctors affiliated with the hospital group in the last five years. It did not include patient credit card, medical or clinical information, the company said in regulatory filings (Garland, 8/18).

The Wall Street Journal: Community Health Systems Says It Suffered Criminal Cyberattack
The rural hospital operator and cybersecurity firm Mandiant believe the attacker was an "Advanced Persistent Threat" group originating from China, it said. The attacker, which used highly sophisticated malware and technology to attack the company's systems, was able to bypass Community Health Systems' security measures and to successfully copy and transfer certain data outside the company, it said (McCarthy, 8/18).

The Wall Street Journal: Investigators: We Don't Know Why China Hacked Hospitals
Community Health Systems Inc. made headlines Monday when it announced Chinese hackers took records on 4.5 million patient records, according to a securities filing. But it remains unclear why the hacker group, which normally targets trade secrets like plane blueprints and health device designs, wanted personal data (Yadron, 8/18).

Bloomberg: Why Would Chinese Hackers Steal Millions Of Medical Records
Security experts say it's unusual for accomplished thieves of corporate secrets to suddenly turn to stealing personal data on individuals, which is what you'd expect from Eastern European hacking gangs and cyber-crime rings. It's possible that the hackers were scraping all the data they could from Community Health's systems and wound up with personal data, without any intentions of selling or using it. The hackers could also have stolen the information for the purposes of locating new targets or adding private data to the profiles of existing targets. Perhaps the most likely theory is that rogue members, tempted by the money they could make, stole the data to sell it on the black market in actions not sanctioned by their superiors, according to a person familiar with the investigation, who spoke on condition of anonymity (Riley and Robertson, 8/18).

USA Today: Health Network Reports 4.5 Million Patients Had Information Hacked
Too few health care companies invest in computer security, said Philip Lieberman, president of Lieberman Software in Los Angeles. He noted the FBI had warned health care companies in April that the sector's cybersecurity was lax. HIPAA does little to protect patients and offers companies little incentive to invest in computer security -; and too many haven't done so, he said. Still, says Trey Ford, a security strategist at Rapid7, a security analysis firm in Boston, "hospitals are arguably one of the hardest network environments to secure; their primary focus is on protecting and improving human life, and this often eclipses all other priorities," he said (Weise, 8/18).