Community Health Systems, which operates University Medical Center in Lebanon and more than 200 other hospitals across the United States, announced Monday about 4.5 million patients’ records were stolen during two recent cyber attacks.
CHS officials, in a U.S. Securities and Exchange Commission filing, said its computer network was the target of an external criminal cyber attack by an “advanced persistent threat” group originating in China that took place in April and June.
University Medical Center spokesman Adam Groshans said he didn’t know how many, if any, of the hospital’s patient records were stolen.
“From a CHS standpoint, we’ve got the best firm to handle this type of situation,” Groshans said. “It is a cyber attack from a foreign entity that is becoming more common in both the public and private sector. The firm we hired is taking steps to ensure patient privacy is the highest priority.
“It’s a situation that has not only affected health care, but it has also hit the retail sector, among others.”
CHS and its forensic expert, Mandiant, said they believe the attacker used highly sophisticated malware and technology to attack the company’s systems. According to the SEC filing, the attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company.
CHS officials said the FBI opened an investigation, and the company is working with agents to determine who is responsible for the attack
CHS also engaged Mandiant, which conducted an investigation of the incident and is advising the company regarding remediation efforts.
“Immediately prior to the filing of this report, the company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type,” the SEC filing said. “The company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data.”
CHS officials said the data transferred was non-medical patient identification data related to the company’s physician practice operations and affected about 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with CHS. The company confirmed the data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birthdates, telephone numbers and Social Security numbers.
CHS officials said it will provide appropriate notification to affected patients and regulatory agencies and required by federal and state law. CHS will also offer identity theft protection services to individuals affected by the attack.
Community Health Systems is a Fortune 500 company based in Franklin. It is the largest non-urban provider of general hospital health care services in the U.S. in terms of number of acute care facilities. The publicly traded company finished Monday at $51.66 per share, which was up 66 cents.