Hospital operator Community Health Systems admitted on Monday in a U.S. Securities and Exchange Commission filing that it was hacked in April and June. The data compromised in the hack was connected to 4.5 million people.
Community Health Systems is working with cybersecurity firm Mandiant to investigate the breach and respond. The SEC filing describes the hackers as “an ‘Advanced Persistent Threat’ group originating from China”—that's the same language Mandiant used to describe alleged hacking by the Chinese Army last year. The filing goes on to describe a sophisticated malware attack that got around CHS's network security. The company functions in 29 states, operating 206 hospitals.
The stolen data is related to patients who were referred to or from physicians connected to CHS. It's quite the little trove of personal data, too, though it's all non-medical. CHS says that patient names, addresses, birthdates, telephone numbers, and Social Security numbers were all compromised. The company is reaching out to everyone whose information was potentially exposed.
CHS has eliminated the malware and is working on shoring up its defenses. It's unclear what motivated the hack, or why the personal data was valuable to the intruders, since CHS told the Wall Street Journal that this hacker group is typically looking for more general industry information. To check whether you've visited a CHS hospital in the past five years, check this map (an interactive version of the one above). CHS is offering identity theft protection to everyone affected by the hack.
Unfortunately, large-scale data breaches like this feel pretty normal these days. CHS even told the Journal that it doesn't think the hack will affect its financial results. Not a great incentive to make security improvements.