Hacked Screen

grapegeek/iStockphoto

Security


If you’ve been to a hospital in a small town or anywhere in the southeastern portion of the United States in the last few years, it’s worth keeping an eye on your personal information.

Community Health Systems, which operates 206 hospitals in 29 states, most of them in rural communities, said today that it suffered a data breach affecting the personal information of some 4.5 million patients.

In a regulatory filing with the U.S. Securities and Exchange Commission, the hospital company said it was attacked during April and June of this year by an “Advanced Persistent Threat” group believed to be operating out of China.

It’s not clear what the purpose of this attack may have been, though Community Health says the only thing it knows was stolen was “non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company.”

The phrase “Advanced Persistent Threat” is noteworthy because it was first used last year by the security firm Mandiant to describe a unit of the Chinese Army that has been accused of attacking the networks of scores of American, Canadian and British companies, dating as far back as 2006. The group’s operations were documented in excruciating detail in a landmark report.

Once it detected the attack, Community Health said it hired Mandiant, a unit of the security company FireEye, to investigate the incident. It’s unclear if Mandiant thinks this incident is the work of the same Chinese Army group that carried out the attack, or if it’s another group in China using similar tactics. The firm did not return calls seeking comment.

Mandiant’s report last year documented the operations of Unit 61398, a military cyberwar unit that stands accused of attacking the networks of at least 141 companies or organizations. On average, the hackers would spend nearly a year perusing a targeted company’s systems looking for sensitive information to steal: Product development plans, manufacturing techniques, business plans and the email messages of senior executives. The point is to help Chinese companies be more competitive.

China has officially denied the accusations, but the report was so detailed that the U.S. Department of Justice secured criminal indictments on five members of Unit 61398 which in turn poured new fuel on a diplomatic fire burning between the U.S. and China over the issue of cyber warfare.

For reference, here’s a map showing the location of Community Health’s hospitals around the U.S., which you can drill down on here. If you’ve been a patient at any of its hospitals in the last five years, you may be hearing from the company in the coming days.

community_health_locations

Source: Community Health Systems



5 comments
Todd Day
Todd Day

And NO, this is not life lock.  They allow the transaction to happen and communicate with other sources they use to try to stop the transaction.  C.A.M.I.S. does not allow it to happen period.  C.A.M.I.S. offers monthly audits, intrusion alerts and a number of other things.

Todd Day
Todd Day

If people had C.A.M.I.S. they would not have to worry about this. C.A.M.I.S. is an awesome product. It is proactive software that stops the perpetrator from using the information on the spot. nothing will go through and the real person will be notified to authenticate the usage of their personal information. It only costs $1 a month.

Nargg
Nargg

OMG, the Chinese now know I have an ingrown toenail?!?!?  What's the World coming to?!?!?!

iAPX
iAPX

Posted a comment, and after page reloading it have disappeared! What's the...

iAPX
iAPX

I wonder what is precisely "non-medical patient identification data".


SAN? Anything necessary to be able to stole an identity? Payment informations? Insurance informations)

The funny thing is that non-medial patient information could lead to identify type of treatments (ie hospital and/or sectors within them), regularity, and thus give access to medical informations. Payment informations too. Hospital and "non-medical patient identification data" may lead to phone access to medical informations, or enable phone spam to these patients, impersonating medical administration calls. Or impersonate a patient with it's identification informations (and insurance datas) to provides access to medical care on their behalf.


It's clearly a huge breach, and a possibility to abuse in many ways the medical system, and also the patient themselves!

Follow

Get every new post delivered to your Inbox.

Join 299,779 other followers