Written by Julia Siripurapu, CIPP/US and Dianne J. Bourque
Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data of 4.5 million individuals. The Company operates 206 general acute care hospitals in 29 states with approximately 31,100 licensed beds.
According to the Report, the Company and its forensic expert, Mandiant, confirmed last month that the Company’s computer network was attacked in April and June, 2014 by an “Advanced Persistent Threat” group that was traced back to China. Using highly sophisticated malware and technology, the attacker bypassed the Company’s security measures and copied and transferred outside the Company protected health information (“PHI”) including names, addresses, birthdates, telephone numbers and social security numbers of individuals referred to or treated at hospitals operated by the Company in the last five years. The Company disclosed in the Report that it is providing the notifications required under state breach notification laws and HIPAA to the individuals affected by the attack and to the applicable regulatory agencies and will offer identity theft protection services to affected individuals. The Company also disclosed that immediately prior to the filing of the Report, it “completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”
The Company’s announcement of the breach, posted on its website in accordance with HITECH requirements, (the “Posting”) locates the breach at Community Health Systems Professional Services Corporation (“CHSPSC”), a Tennessee company that provides management, consulting and information technology services to clinics and hospital-based physicians. CHSPSC may be a business associate of the Company, although neither the Report nor the Posting confirmed CHSPSC’s status. The Posting provided additional information regarding breach remediation efforts which also include, audit and surveillance technology to detect unauthorized intrusions, the adoption of advanced encryption technologies, and requiring users to change access passwords. If these security measures were lacking prior to the breach, it will be an important fact in any ensuing enforcement by the Office for Civil Rights in connection with the breach.
This data breach ranks as the 2nd largest breach of medical data in the country to date, when compared to breaches of medical data affecting more than 500 individuals reported by the U.S. Department of Health & Human Services.