The data affected was non-medical patient identification data related to Community Health Systems' physician practice operations and does not include patient credit card, medical, or clinical information, CHS says.
Community Health Systems Inc. said Monday that its computer network was "the target of an external criminal cyberattack" between April and June that may have compromised the personal data of 4.5 million patients.
"The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an "advanced persistent threat" group originating from China who used highly sophisticated malware and technology to attack the Company's systems," Franklin, TN-based CHS said in a Form 8-K filing Monday with the Securities and Exchange Commission.
"The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data."
"However, in this instance, the data transferred was non-medical patient identification data related to the Company's physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company."
HIPAA Violated
CHS said the data didn't include patient credit card, medical or clinical information. "The data is, however, considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birthdates, telephone numbers and social security numbers. The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law."
CHS said in its SEC filing that it had "completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type."
CHS operates 206 hospitals in 29 states. Since learning of the attack, CHS said it has worked with federal law enforcement authorities to find those responsible for the attack.
"The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results." CHS acquired Health Management Associates and its 70 hospitals in January.
Earlier this month, CHS agreed to a $98.1 million payout to settle system-wide fraud allegations levelled by whistleblowers.
Pages
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.