COLLEGE STATION – A consumer alert for anyone who has been a patient at the College Station Medical Center over the past five years.
Community Health Systems Inc., the parent company of ‘The Med’, says a hacker in China obtained the names, addresses, birthdates, telephone numbers and social security numbers of millions of their patients across the country.
The data breach occurred in April and June. It was discovered last month, but The Med will not say how long they’ve known about it.
“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients,” said spokesperson Russell Marriot in a written statement to News 3.
Marriot said while they have no reason to believe the data would ever be used, all affected patients are being notified by mail. They will be offered free identity theft protection.
CHS is the largest hospital company in the country, in terms of the number of hospitals. The company operates 206 hospitals nationwide, including 18 in Texas.
Full Statement from College Station Medical Center
Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with College Station Medical Center over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.
We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.
Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.
Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.
Statement from Tomi Galin, Community Health Systems
Unfortunately, we have joined numerous American companies and institutions who have been victimized by highly sophisticated, criminal cyber-attacks originating out of China. We worked quickly to identify and eradicate the intruder and we are also working closely with federal law enforcement authorities as they pursue the criminals responsible. While we did have security measures in place to protect our computer network and electronically stored information, this attacker used very sophisticated methods to bypass security systems.
Importantly, no patient medical or financial information was transferred as a result of this intrusion. Community Health Systems takes seriously the security and confidentiality of private patient information and we have taken additional steps to protect against future intrusions of this type.
The Company carries cyber/privacy liability insurance. We do not believe this incident will have a material adverse effect on our business or financial results.
Statement from CHS filed with the Securities and Exchange Commission
In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company. Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack. The Company also engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers. The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.