Chinese Hackers Stole Info on 4.5 Million U.S. Hospital Patients
If you’ve been to a hospital in a small town or anywhere in the southeastern portion of the United States in the last few years, it’s worth keeping an eye on your personal information.
Community Health Systems, which operates 206 hospitals in 29 states, most of them in rural communities, said today that it suffered a data breach affecting the personal information of some 4.5 million patients.
In a regulatory filing with the U.S. Securities and Exchange Commission, the hospital company said it was attacked during April and June of this year by an “Advanced Persistent Threat” group believed to be operating out of China.
It’s not clear what the purpose of this attack may have been, though Community Health says the only thing it knows was stolen was “non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company.”
The phrase “Advanced Persistent Threat” is noteworthy because it was first used last year by the security firm Mandiant to describe a unit of the Chinese Army that has been accused of attacking the networks of scores of American, Canadian and British companies, dating as far back as 2006. The group’s operations were documented in excruciating detail in a landmark report.
Once it detected the attack, Community Health said it hired Mandiant, a unit of the security company FireEye, to investigate the incident. It’s unclear if Mandiant thinks this incident is the work of the same Chinese Army group that carried out the attack, or if it’s another group in China using similar tactics. The firm did not return calls seeking comment.
Mandiant’s report last year documented the operations of Unit 61398, a military cyberwar unit that stands accused of attacking the networks of at least 141 companies or organizations. On average, the hackers would spend nearly a year perusing a targeted company’s systems looking for sensitive information to steal: Product development plans, manufacturing techniques, business plans and the email messages of senior executives. The point is to help Chinese companies be more competitive.
China has officially denied the accusations, but the report was so detailed that the U.S. Department of Justice secured criminal indictments on five members of Unit 61398 which in turn poured new fuel on a diplomatic fire burning between the U.S. and China over the issue of cyber warfare.
For reference, here’s a map showing the location of Community Health’s hospitals around the U.S., which you can drill down on here. If you’ve been a patient at any of its hospitals in the last five years, you may be hearing from the company in the coming days.